Re: [Freeipa-users] Shadow Utils appears in sssd.conf

On Wed, Nov 16, 2016 at 09:39:05AM +0100, Lukas Slebodnik wrote: > On (16/11/16 11:46), Lachlan Musicman wrote: > >I don't know what I've done wrong, but when I use ipa-client-install on a > >new host to add to my one way trust domain, I now have a > >[domain/shadowutils] stanza. > > > >This first

Re: [Freeipa-users] Rhel 7 client enroll to Rhel 6 IPA server

On Wed, Nov 16, 2016 at 09:56:59AM -0700, Sean Hogan wrote: > [root@server1 read]# kinit -kt /etc/krb5.keytab host/server1.ipa.local > kinit: Program lacks support for encryption type while getting initial > credentials OK, now there's at least the same error from kinit as sssd is generating. Can

Re: [Freeipa-users] Is there an simple way to add in sudo time window options in FreeIPA?

> On 18 Nov 2016, at 19:12, Robert Kleinberg wrote: > > Would like to establish valid sudo usage windows with sudonotbefore and > sudonotafter options. However, I did not see an easy way to set this up > other than via an sudo options text entry line. Is there another menu-driven > way that

Re: [Freeipa-users] AD Trust users not resolving on clients: ipa_get_*_acct request failed

On Wed, Nov 23, 2016 at 05:58:58PM +1100, Robert Sturrock wrote: > Hi All. > > I’m having a problem getting trust users to resolve on *any* IPA client (this > _was_ working well and I’m not sure what’s changed that may have caused it to > start failing - although we have recently updated to IPA

Re: [Freeipa-users] mount lookup failure getautomntent_r

> On 27 Nov 2016, at 18:31, William Muriithi wrote: > > Hello, > > I have noticed an error that pop up as the final line after running > this command " > automount -m". I suspect its related to selinux, but haven't seen how > to fix it from the google search this morning. > > I have autofs map

Re: [Freeipa-users] mount lookup failure getautomntent_r

On Sun, Nov 27, 2016 at 05:34:20PM -0500, William Muriithi wrote: > Jakub, > > Thanks for response > On 27 November 2016 at 15:43, Jakub Hrozek wrote: > > > >> > >> I have noticed an error that pop up as the final line after running > > >> lookup

Re: [Freeipa-users] Problem with Free IPA Client Ubuntu Precise (12.04) authenticating with AD account

On Wed, Dec 07, 2016 at 06:19:06PM +, James Harrison wrote: > Hi all, > > I am trying to authenticate an ubuntu Precise (12.06) fully patched system. > Its enrolled into a FreeIPA server. The following trace is the output of > syslog auth sssd/*.log and full debug (-ddd) from the sshd servic

Re: [Freeipa-users] How to implement sudo rules

I hope this helps pinpoint the issue: https://fedorahosted.org/sssd/wiki/HOWTO_Troubleshoot_SUDO > On 18 Dec 2016, at 10:04, Ben .T.George wrote: > > Hi List, > > please help me to implement sudo rules. > > i have did below steps an

Re: [Freeipa-users] Sudo rule implementation

On Tue, Dec 20, 2016 at 01:19:15PM +0300, Ben .T.George wrote: > Hi List, > > please help me to implement sudo rules. > > i have did below steps and still not working for me. > > 1. created "Sudo Command Groups" > 2. Added some command (/bin/yum) and included in sudo group > 3. created "sudo Rul

Re: [Freeipa-users] Upgrade to 4.4.0 Breaks login.

On Thu, Dec 22, 2016 at 08:38:38PM -0500, Dan Kemp wrote: > Hello, > > I recently ran an upgrade of my freeipa servers, and most of the clients to > 4.4.0 (Current with CentOS 7 repos) from version 4.2.0. After the install > and server update, I can no longer log in to update clients via ssh. Logi

Re: [Freeipa-users] replica running trust-agents can't resolve AD users - which of these sssd errors should I be focusing on?

On Thu, Dec 22, 2016 at 11:34:01PM +0200, Alexander Bokovoy wrote: > On to, 22 joulu 2016, Chris Dagdigian wrote: > > Hi folks, > > > > Summary: Replica w/ Trust agents can't resolve AD users. Not sure which > > debug_level=log error I should focus on. Would appreciate extra eyeballs > > on this

Re: [Freeipa-users] Unable to sudo with just one user on only a few servers

On Sat, Dec 31, 2016 at 07:43:20AM +, pgb205 wrote: > I have followed troubleshooting procedure outlined hereTroubleshooting - > FreeIPA > > > | > | > | > | || > >| > > | > | > | | > Troubleshooting - FreeIPA >| | > > | > > | > > > Additionally I

Re: [Freeipa-users] Any good CLI methods for testing connectivity from IPA replica to remote AD servers?

On Wed, Dec 28, 2016 at 08:52:41AM -0500, Chris Dagdigian wrote: > > Hi folks, > > I may have network blocks between one of my IPA replicas and the *many* > remote AD servers that need to be queried but I can only see evidence of > this in the authentication failures and the debug level logging.

Re: [Freeipa-users] Unable to resolve AD users from IPA clients

On Tue, Jan 03, 2017 at 03:39:19PM +0100, Jan Karásek wrote: > Hi, > > I have trouble with resolving AD users from my IPA clients. > > Environment: 2x IPA server with trust into AD - both IPA servers and clients > running latest rhel 7.3. > > IPA domain: vs.example.com > AD domain: example.

Re: [Freeipa-users] Unable to resolve AD users from IPA clients

On Wed, Jan 04, 2017 at 04:19:04PM +0100, Jan Karásek wrote: > Hi, > thank you for help. > > I have tried to add > > subdomain_inherit = ignore_group_members > ignore_group_members = True > > into sssd.conf on server but problem still persists. > > >By the way, did you install 7.3 cleanly

Re: [Freeipa-users] FreeIPA sudo not working on ububtu xenial sssd version 1.13.4-1ubuntu1.1

On Thu, Jan 05, 2017 at 01:36:56PM +, James Harrison wrote: > Hi all,I having problems with a FreeIPA client running Ububtu Xenial. > I can authenticate OK, I get a kerberos ticket, but cannot run sudo. > I get 1 rule returned, which I expect. > Many thanks,James Harrison I would check if (wit

Re: [Freeipa-users] freeipa 4.4.0 and Ubuntu 14.04

On Fri, Jan 06, 2017 at 09:01:12AM -0500, Andy Brittingham wrote: > Hi, > > I upgraded my Freeipa servers to 4.4.0-14 on CentOS 7 yesterday. None of my > Ubuntu clients with versions < 16.04 (sssd version 1.13.4) can authenticate > against the upgraded servers. It appears the problem is the versio

Re: [Freeipa-users] freeipa 4.4.0 and Ubuntu 14.04

On Fri, Jan 06, 2017 at 11:48:07AM -0500, Andy Brittingham wrote: > Sorry for the delay, was doing some troubleshooting. > > Here is what I know now: > > The problem is on Ubuntu hosts using older sssd versions 1.11.8 (Ubuntu > 14.04). > > SSSD versions 1.13.4 (Ubuntu 16.04) and 1.13.3 (CentOS 6

Re: [Freeipa-users] ipa_server and ipa_backup_server failover time

On Mon, Jan 09, 2017 at 03:29:54PM +0800, Matrix wrote: > Hi, all > > > The purpose of this email is to know more about timeout ipa server failover. > > > Env: > # rpm -qa | grep sssd > sssd-krb5-common-1.13.0-40.el7_2.12.x86_64 > python-sssdconfig-1.13.0-40.el7_2.12.noarch > sssd-ipa-1.13.0-

Re: [Freeipa-users] Kerberos Clock Skew too great

On Mon, Jan 09, 2017 at 01:07:06PM +0530, Rakesh Rajasekharan wrote: > Hi, > > I am using a Freeipa 4.2.0 server. > > I sometimes see, "clock skew too great" errors in /var/log/krb5kdc.log. And > when this happens, usually logins or new ipa-cleint-install fails. > > When I checked on one of the

Re: [Freeipa-users] Kerberos Clock Skew too great

ll whats the offset limit its actually looking for. Sorry, I'm a bit out of my depth here, the only other suggestion I have is to try kinit with KRB5_TRACE=/dev/stderr when that happens, which should at least dump which KDC is the client talking to (if you have multiple masters..) > >

Re: [Freeipa-users] ipa_server and ipa_backup_server failover time

(please keep CC-ing the list..) On Mon, Jan 09, 2017 at 04:39:04PM +0800, Matrix wrote: > Sorry, i did not trigger authentication at all. Just to check sssd logs. > around 15 minutes later, I saw below messages shown: > > (Mon Jan 9 01:46:35 2017) [sssd[be[fwmrm.net]]] [fo_set_port_status] > (

Re: [Freeipa-users] sssd doesn't cache, as it seems

> On 21 Jan 2017, at 06:46, Harald Dunkel wrote: > > On 01/20/17 18:42, Simo Sorce wrote: >> >> Is your server being used for authentication ? >> SSSD, by default, always refreshes user credentials on authentication, >> but you can use the cached_auth_timeout setting to relax this >> requiremen

Re: [Freeipa-users] sudo sometimes doesn't work

On Fri, Jan 27, 2017 at 02:15:16PM -0700, Orion Poplawski wrote: > EL7.3 > Users are in active directory via AD trust with IPA server > > sudo is configured via files - users in our default "nwra" group can run > certain sudo commands, e.g.: > > Cmnd_Alias WAKEUP = /sbin/ether-wake * > %nwra,%vis

Re: [Freeipa-users] ipa-client-install fails on replica because of kinit cannot contact any KDC

On Tue, Apr 08, 2014 at 05:22:46PM -0700, Shree wrote: > Not sure if anyone read my last reply I was still not having any luck. > Anyways I found the file which was causing it to contact the old IP address > just a few minutes ago. Though I would share with you in case someone else > may need it

Re: [Freeipa-users] FreeIPA + Foreman 1.5

On Fri, Apr 25, 2014 at 04:16:11AM -0400, Stephen Benjamin wrote: > - Original Message - > > From: "Jan Cholasta" > > To: "Martin Kosek" , d...@redhat.com, "Stephen Benjamin" > > > > Cc: freeipa-users@redhat.com > > Sent: Friday, April 25, 2014 9:44:37 AM > > Subject: Re: [Freeipa-users]

Re: [Freeipa-users] FreeIPA + Foreman 1.5

On Mon, Apr 28, 2014 at 05:23:18AM -0400, Stephen Benjamin wrote: > > > - Original Message - > > From: "Jakub Hrozek" > > To: freeipa-users@redhat.com > > Sent: Monday, April 28, 2014 10:55:16 AM > > Subject: Re: [Freeipa-users] FreeIPA + Fore

Re: [Freeipa-users] sudorules - allow all and exclude some

On Wed, May 07, 2014 at 10:31:12AM +0200, Szymon Jazy wrote: > Hello, > Is there a proper way in sudo rules to allow any command and exclude only > some groups? > Something like: > %test_group ALL=(ALL) ALL, !SU, !SHELLS > If I try to do this (gui/cli) I get an error: > ipa: ERROR: comman

Re: [Freeipa-users] sudorules - allow all and exclude some

On Wed, May 07, 2014 at 11:17:54AM +0200, Jakub Hrozek wrote: > On Wed, May 07, 2014 at 10:31:12AM +0200, Szymon Jazy wrote: > > Hello, > > Is there a proper way in sudo rules to allow any command and exclude only > > some groups? > > Something like: > > %test_g

Re: [Freeipa-users] DNS SOA Records

On Wed, May 14, 2014 at 10:57:04AM +0200, Petr Spacek wrote: > On 13.5.2014 21:32, Dmitri Pal wrote: > >On 05/13/2014 02:12 PM, Bob wrote: > >>I ran > >> > >>ipa dnszone-mod vh1.vzwnet.com > >>--update-policy="grant bob-key name test.vh1.vzwnet.com.;" > >> > >>I then execute

Re: [Freeipa-users] AD trust showing offline after reboot

On Thu, May 15, 2014 at 12:51:13PM +0530, Supratik Goswami wrote: > Hi > > I followed the instructions mentioned in > http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup to configure AD > trust with IPA server. > > I successfully established the trust and also able to list all AD users but > a

Re: [Freeipa-users] AD trust showing offline after reboot

On Thu, May 15, 2014 at 02:40:57PM +0530, Supratik Goswami wrote: > Also, when I am running " wbinfo -n 'AD\Domain Admins' " I am getting the > below error. > > [root@master packages]# wbinfo -n 'AD\Domain Admins' > failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND > Could not lookup name AD\

Re: [Freeipa-users] openldap certs?

On Thu, May 22, 2014 at 10:36:45AM -0400, Bret Wortman wrote: > I found that our slower system was using FQDNs for the list of IPA > servers; our faster system was using IPs. I'm switching now, letting > Puppet distribute the update and will see if it helps. > > By enumeration, do you mean are we

Re: [Freeipa-users] openldap certs?

On Thu, May 22, 2014 at 11:16:57AM -0400, Bret Wortman wrote: > It doesn't seem to have helped -- we're still pretty slow even with > IP addresses in sssd.conf. Yes, I would expect the performance to be still slow, because when you perform authentication, the user information is always refreshed f

Re: [Freeipa-users] Why would /etc/passwd get skipped?

On Thu, May 22, 2014 at 01:22:28PM -0400, Bret Wortman wrote: > Yep, that initgroups change had the same effect as shutting down > sssd, but without inconveniencing all the IPA-only users. > > The problem in this particular case was made worse by a lot of > network latency, but even on network seg

Re: [Freeipa-users] LDAP/SSSD/IPA performance

On Fri, May 23, 2014 at 09:48:00AM -0400, Bret Wortman wrote: > More soft/anecdotal: > > When executing "sudo -i" or "sudo -iu" the first time, we can expect > a several second delay before the command completes. If we then exit > the session and re-execute the command, it will complete almost > i

Re: [Freeipa-users] LDAP/SSSD/IPA performance

On Fri, May 23, 2014 at 04:03:44PM +0200, Jakub Hrozek wrote: > On Fri, May 23, 2014 at 09:48:00AM -0400, Bret Wortman wrote: > > More soft/anecdotal: > > > > When executing "sudo -i" or "sudo -iu" the first time, we can expect > > a several second

Re: [Freeipa-users] LDAP/SSSD/IPA performance

On Tue, May 27, 2014 at 07:34:58PM -0400, Bret Wortman wrote: > No problem. We forced a re installation of openldap, which helped. Pam login > is still slow but sudo isn't. We'll keep chipping away at it. As said earlier in the thread, logs might be the best way to move this forward. __

Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

On Thu, Jun 26, 2014 at 06:42:37PM -0400, Simo Sorce wrote: > On Thu, 2014-06-26 at 22:02 +, Nordgren, Bryce L -FS wrote: > > > The reason is that rpcidmapd` does not parse fully-qualified usernames > > > so"adt...@ad.example.org@IPA.EXAMPLE.ORG" does not work. > > > > If someone can educate m

Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

On 27 Jun 2014, at 22:22, Nordgren, Bryce L -FS wrote: > >> Would the idmap sss module we have on the list pending review help here? > > My read of the design page suggests that the plugin is 66% of a solution. > There are three types of identities which need to be related: > > * local machi

Re: [Freeipa-users] IPA Service Restart causes clients to stop working

On Mon, Jul 07, 2014 at 11:36:26AM -0400, John Moyer wrote: > Hello All, > > Some of the services in IPA stopped responding and I restarted the > service (as I couldn't login to the website or via ssh to any registered > hosts). After the restart I could login to the web app, but still no >

Re: [Freeipa-users] IPA Service Restart causes clients to stop working

> chpass_provider = ipa > ipa_server = _srv_, server1.digitalreasoning.com > dns_discovery_domain = digitalreasoning.com > [sssd] > services = nss, pam, ssh > config_file_version = 2 > > domains = digitalreasoning.com > [nss] > > [pam] > > [sudo] > > [autofs] >

Re: [Freeipa-users] IPA Service Restart causes clients to stop working

tart sssd on every > VM manually. Hello Bruno, see my reply to John, if you can capture the sssd logs, that would be very welcome in tracking down the problem. > > - Mensagem original - > > De: "John Moyer" > Para: "Jakub Hrozek" , freeipa-us

Re: [Freeipa-users] Trusts with Windows Server 2003

On Fri, Jul 11, 2014 at 05:22:59PM -0300, tizo wrote: > On Fri, Jul 11, 2014 at 4:54 PM, Dmitri Pal wrote: > > > On 07/11/2014 03:27 PM, tizo wrote: > > > > > > On Fri, Jul 4, 2014 at 5:09 PM, tizo wrote: > > > >> I have seen in > >> http://www.freeipa.org/page/Howto/IPAv3_AD_trust_setup#Trus

Re: [Freeipa-users] Trusts with Windows Server 2003

On Mon, Jul 14, 2014 at 02:02:16PM -0300, tizo wrote: > On Mon, Jul 14, 2014 at 5:57 AM, Jakub Hrozek wrote: > > > On Fri, Jul 11, 2014 at 05:22:59PM -0300, tizo wrote: > > > On Fri, Jul 11, 2014 at 4:54 PM, Dmitri Pal wrote: > > > > > >

Re: [Freeipa-users] Trusts with Windows Server 2003

On Tue, Jul 15, 2014 at 11:04:23AM -0300, tizo wrote: > On Tue, Jul 15, 2014 at 7:16 AM, Jakub Hrozek wrote: > > > On Mon, Jul 14, 2014 at 02:02:16PM -0300, tizo wrote: > > > On Mon, Jul 14, 2014 at 5:57 AM, Jakub Hrozek > > wrote: > > > > > > >

Re: [Freeipa-users] IPA+AD trust and NFS nobody issue

On 16 Jul 2014, at 03:29, Parsons, Aron wrote: > I ran into this issue last fall and have been running with a patched > libnfsidmap since November while our support case with Red Hat waits on a > resolution (pretty much have given up hope at this point). It's a trivial > patch and removes th

Re: [Freeipa-users] passwords expiration against IPA v.3.0.0-37 using ldap not kerberos

On Fri, Jul 18, 2014 at 11:22:05AM -0400, Lance Reed wrote: > I am having a problem with sssd (1.9.2) and passwords expiration > against IPA v.3.0.0-37. > > I have setup sssd to use IPA with LDAP not Kerberos since this is in > EC2 and I don’t want to deal with assigning tickets to each ephemeral

Re: [Freeipa-users] FC20 maps GECOS to display name?

source field for LDAP > user display name mapping in FC20 (for gnome)? > > > Kind regards, > > Will Sheldon Hi, I think GDM behaves correctly, the semantics of GECOS is usually "the real name", so for me, GDM shows "Jakub Hrozek". If you override GECOS

Re: [Freeipa-users] SSSD and Autofs

On Wed, Jul 23, 2014 at 11:45:28PM +0200, James James wrote: > HI guy, I've been struggling for a while tom make sssd works with autofs . > I have a freeipa server that serves maps. When a client is enrolled and I > make in a terminal > > root@host ~# ipa-client-automount -U > > everything is ok

Re: [Freeipa-users] SSSD and Autofs

On Thu, Jul 24, 2014 at 10:48:44AM +0200, James James wrote: > The problem is solved. > > I had to explicity provides the location in the ipa-client-automount > command like this : > > ipa-client-automount --server=ipa.lix.polytechnique.fr --location=server1 -U Ah, yes, the default location for

Re: [Freeipa-users] id: cannot find name for group ID

On Fri, Jul 25, 2014 at 10:54:20AM -0400, Mark Heslin wrote: > I rebooted both IdM servers, client about an hour before - maybe the client > had old cache entries? Yes, I actually suspect the client was offline for one reason or another and was not actually online, just using the cached data... >

Re: [Freeipa-users] SSSD startup failures on ipa clients

On Sun, Jul 27, 2014 at 10:42:34PM -0400, Mark Heslin wrote: > Folks, > > I just stumbled on an odd issue. I have an OpenShift deployment with 2 > brokers, 2 nodes, 1 rhc client > all running RHEL 6.5. I also have 2 IPA servers (1 server, 1 replica), 1 IPA > admin (tools) client all running RHEL 7

Re: [Freeipa-users] SSSD startup failures on ipa clients

On Mon, Jul 28, 2014 at 07:28:22AM -0400, Mark Heslin wrote: > Hi Jakub, > > I've added the output of 'sssd -i -d4' below: > > On 07/28/2014 03:39 AM, Jakub Hrozek wrote: > >On Sun, Jul 27, 2014 at 10:42:34PM -0400, Mark Heslin wrote: > >>Folks, >

Re: [Freeipa-users] SSSD startup failures on ipa clients

On Mon, Jul 28, 2014 at 08:28:01AM -0400, Mark Heslin wrote: > On 07/28/2014 07:33 AM, Jakub Hrozek wrote: > >On Mon, Jul 28, 2014 at 07:28:22AM -0400, Mark Heslin wrote: > >>Hi Jakub, > >> > >>I've added the output of 'sssd -i -d4' below:

Re: [Freeipa-users] SSSD startup failures on ipa clients

On Mon, Jul 28, 2014 at 08:28:01AM -0400, Mark Heslin wrote: > # ll /usr/libexec/sssd/sssd_be > -rwxr-xr-x. 1 root root 577480 Dec 19 2013 /usr/libexec/sssd/sssd_be btw this might be more useful: $ ldd /usr/libexec/sssd/sssd_be | grep cares libcares.so.2 => /lib64/libcares.so.2 (0x7ff

Re: [Freeipa-users] SSSD startup failures on ipa clients

On Mon, Jul 28, 2014 at 09:02:17AM -0400, Mark Heslin wrote: > Hi Jakub, > > (Top posting to save scrolling). > > Success. It looks like the c-ares package was not installed during > ipa-client install: > ># rpm -qV c-ares >package c-ares is not installed ># yum reinstall c-ares >

Re: [Freeipa-users] Local users/groups to IPA Transition

On Thu, Jul 31, 2014 at 03:23:50PM +, Nordgren, Bryce L -FS wrote: > > > Well, the users are definitely going to be in IPA (or AD via IPA). However, > > they *will* exist in both IPA and locally during the migration period. If > > they > > have the same UID/GIDs in both places (local and IP

Re: [Freeipa-users] Users not inheriting groups

On Thu, Jul 31, 2014 at 03:42:43PM -0700, William Graboyes wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > Hi List, > > I am running into some odd issues with IPA and users not inheriting > all groups they are a member of. > > I spent a lot of time nesting groups so that when we a

Re: [Freeipa-users] Users not inheriting groups

On Fri, Aug 01, 2014 at 10:58:14AM -0700, William Graboyes wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > Thanks for your help, > > The group memberships are propagated properly on the server side: > > dn: uid=user,cn=users,cn=accounts,dc=cenic,dc=org > uid: user > givennam

Re: [Freeipa-users] Users not inheriting groups

On Mon, Aug 04, 2014 at 09:18:11AM +0200, Jakub Hrozek wrote: > On Fri, Aug 01, 2014 at 10:58:14AM -0700, William Graboyes wrote: > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA512 > > > > Thanks for your help, > > > > The group memberships are

Re: [Freeipa-users] Adding user created in IPA to end machine group

On Sun, Aug 10, 2014 at 12:40:49AM -0400, Dmitri Pal wrote: > On 07/25/2014 12:45 AM, Sanju A wrote: > >Dear All, > > > >Centralized authentication is working fine and we have a requirement to > >give privilege to users for configuring printer in their machines. For > >local users, they will get th

Re: [Freeipa-users] MinSSF suggestions?

On Mon, Aug 11, 2014 at 05:18:03PM +0300, Alexander Bokovoy wrote: > On Sat, 09 Aug 2014, Erinn Looney-Triggs wrote: > >-BEGIN PGP SIGNED MESSAGE- > >Hash: SHA256 > > > >It would seem to be prudent to set the minssf setting for 389 to 56, > >however I am wondering why this isn't done by def

Re: [Freeipa-users] mapping AD trust users to FreeIPA users for access to NFS w/ ACLs

On Mon, Aug 11, 2014 at 10:04:37PM +0300, Alexander Bokovoy wrote: > On Mon, 11 Aug 2014, Daniel Shown wrote: > >grumble grumble. > > > >Do you know a bug ID or something similar i can search on? FWIW, FreeIPA > >server is CentOS 6.5, but the client is Ubuntu 14. Hopefully that makes a > >fix easie

Re: [Freeipa-users] getting auth to work with just IPA LDAP

On Wed, Aug 13, 2014 at 07:23:43AM -0700, Kat wrote: > Hello fellow IPAers... > > Just wondering what I might be doing wrong. I have servers that just need to > auth to the LDAP username/PW portion of IPA since they can't do Kerberos > right now. > > What could I be missing -- I run the authconfi

Re: [Freeipa-users] [SOLVED] getting auth to work with just IPA LDAP

On Wed, Aug 13, 2014 at 06:28:35PM +0200, Jakub Hrozek wrote: > On Wed, Aug 13, 2014 at 07:23:43AM -0700, Kat wrote: > > Hello fellow IPAers... > > > > Just wondering what I might be doing wrong. I have servers that just need to > > auth to the LDAP username/PW portion

Re: [Freeipa-users] FreeIPA4 OTP vs PAM

On Thu, Aug 14, 2014 at 01:19:58PM -0700, Michael Lasevich wrote: > I did not dive into this yet, but before I waste too much time I wanted to > ask if centos 6.5 default ipa client expected to work with 2FA or not. No it's not, sorry. The 6.5 client is SSSD 1.9.x and there's a couple of fixes tha

Re: [Freeipa-users] users AD can not sudo in centos 6.5

On Mon, Aug 25, 2014 at 12:12:26PM +0200, Dmitri Pal wrote: > On 08/25/2014 12:01 PM, alireza baghery wrote: > >hi > >i integrated AD windows 208 R2 with IPA server (centos 6.5) > >i write a sudo policy and access for specified user and host with allow > >any command. > >user can execute sudo in ce

Re: [Freeipa-users] sudo with freeIPA

On Mon, Aug 25, 2014 at 06:51:27AM -0400, Megan . wrote: > Good Morning, > > I'm very new to freeIPA. I'm running centOS 6.5 with freeIPA v3 > > I have the freeIPA server up but i'm working on getting SUDO > configured. Currently i'm having problems getting sudo commands to > work on the client

Re: [Freeipa-users] users AD can not sudo in centos 6.5

On Mon, Aug 25, 2014 at 01:58:41PM +0200, Jakub Hrozek wrote: > For sudo logs, something like: >Debug sudo /tmp/sudo_debug all@debug > Should produce pretty verbose logs Sorry, I should have said the Debug directive belongs to /etc/sudo.conf -- Manage your subscriptio

Re: [Freeipa-users] sudo with freeIPA

On Mon, Aug 25, 2014 at 08:02:02AM -0400, Megan . wrote: > Below is the output from the sss_.log when i ran the sudo > command as the user. I see things about offline replies and LDAP not > working. Is this my problem or is this part of a normal series of > items that are tried? > > > (Mon Aug

Re: [Freeipa-users] Custom kinit

On Mon, Aug 25, 2014 at 02:43:00PM +0200, Yago Fernández Pinilla wrote: > Hi, > > I would like to create a script in python that does the same that kinit, I > don´t where to start. Why do you need this? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailm

Re: [Freeipa-users] sudo with freeIPA

On 25 Aug 2014, at 23:54, William Graboyes wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA512 > > Hi Megan, > > I had the same problem with CENTOS 6.5 and free-ipa. Megan had a different problem. We were able to get to the root cause in an off-list discussion, the ldap_sasl_authid pa

Re: [Freeipa-users] How to use sudo rules on ubuntu

On Thu, Aug 28, 2014 at 02:15:43PM +0300, Tevfik Ceydeliler wrote: > > Hi, > I try to apply sudo policies on ubuntu client. > Is there any examples how to apply it? > Regards... Depends on your sssd and sudo versions but in general I don't think there are any Ubuntu-specific issues. As long as y

Re: [Freeipa-users] How to use sudo rules on ubuntu

up_search_base = ou=SUDOers,dc=ipa,dc=grp > sudo_provider = ldap > ldap_uri = ldap://srv.ipa.grp > krb5_server = srv.ipa.grp These options belong to the [domain] section, you put them into the [pac] section. > > When I try to use sudo: > > user1@clnt:~$ sudo -i user1 vi a

Re: [Freeipa-users] How to use sudo rules on ubuntu

On Fri, Aug 29, 2014 at 01:15:28PM +0300, Tevfik Ceydeliler wrote: > > I moved these configuration lines under [domain] section. Then reboot the > client. But same result.. Please make sure libsss_sudo is installed. If it is, then we need to see the logs from the [sudo] and [domain] sections of s

Re: [Freeipa-users] How to use sudo rules on ubuntu

n you'll have some logs. We only log critical failures by default. 6 is a good start for the log level usually. > > On 29-08-2014 14:23, Jakub Hrozek wrote: > >On Fri, Aug 29, 2014 at 01:15:28PM +0300, Tevfik Ceydeliler wrote: > >>I moved these configuration lines under

Re: [Freeipa-users] How to use sudo rules on ubuntu

On Fri, Aug 29, 2014 at 03:07:08PM +0200, Jakub Hrozek wrote: > On Fri, Aug 29, 2014 at 03:45:38PM +0300, Tevfik Ceydeliler wrote: > > > > this package is installed > > > > root@clnt:/home/awtadm# apt-get install libsss-sudo > > Reading package lists...

Re: [Freeipa-users] IPA, Multiple Backends

On 29 Aug 2014, at 18:33, Kyle Flavin wrote: > I'm doing some testing to integrate FreeIPA into my environment. I need to > setup two domains in sssd.conf; One is my fresh install of IPA, and the other > is our legacy LDAP environment. > > I want to use IPA for ssh logins to servers. I want

Re: [Freeipa-users] IPuser can't authenticated with sssd

On Fri, Aug 29, 2014 at 08:05:16PM +0200, Dmitri Pal wrote: > On 08/29/2014 06:06 PM, mohammad sereshki wrote: > >Hi > >I have configured IPA(ipa-client-2.1.3-7.el5) but the problem is that Ican > >connect with kerberos from another client but I can't login to client > >directly and I chet below er

Re: [Freeipa-users] How to use sudo rules on ubuntu

On Mon, Sep 01, 2014 at 12:20:21PM +0300, Alexander Bokovoy wrote: > On Mon, 01 Sep 2014, Tevfik Ceydeliler wrote: > > > >libsss-sudo already installed. > >Here is my sssd.conf: > >[domain/ipa.grp] > >krb5_realm = IPA.GRP > >cache_credentials = True > >krb5_store_password_if_offline = True > >ipa_d

Re: [Freeipa-users] FreeIPA, SSSD, sudo and Local Users

On Wed, Sep 10, 2014 at 09:58:27PM +, Trevor T Kates (Services - 6) wrote: > Hi all: > > I'm using FreeIPA 3.0 under CentOS 6.5 and I'm trying to solve a bit of a > quirky > problem. From what I've read thus far, sudo under SSSD can't provide sudo > rules > for local users that are not part

Re: [Freeipa-users] Compat tree and group membership in a trust environment

On Tue, Sep 23, 2014 at 11:05:31AM -0430, Loris Santamaria wrote: > Querying for group membership in the compat tree within a trust > environment seems to be rather flaky: > > * userA and userB are members of admins@ad. admins@ad is member of > internet_access@ad > * internet_a

Re: [Freeipa-users] Config applied to SSSd

On Mon, Oct 06, 2014 at 10:09:51AM +, Adam Bishop wrote: > ipa-client-install on RHEL6-ish distro's configures SSSd as follows: > > [domain/MYDOMAIN] > > ... > ipa_server = _srv_, ldap01.my.domain > ... > > The man page isn't too clear on what is this value used for (or h

Re: [Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

On Mon, Oct 13, 2014 at 10:10:12PM +0400, Орхан Касумов wrote: > Good day to everybody. > There`s a post on how to make a FreeBSD client work with a FreeIPA server: > https://forums.freebsd.org/viewtopic.php?f=39&t=46526&p=260146#p260146   > For some reason the instructions in that post don`t le

Re: [Freeipa-users] Inconsistent group memberships in sssd

On Thu, Oct 23, 2014 at 05:19:38PM -0700, Michael Lasevich wrote: > Small update, it appears that once I run "getent group " - my > user shows up in the group . Odd. > > (and yes, I have ran "sss_cache -UG" many a time) > > -M One particular change in IPA 4.x that might be giving old clients hea

Re: [Freeipa-users] Inconsistent group memberships in sssd

On Fri, Oct 24, 2014 at 09:51:41AM +0200, Jakub Hrozek wrote: > On Thu, Oct 23, 2014 at 05:19:38PM -0700, Michael Lasevich wrote: > > Small update, it appears that once I run "getent group " - my > > user shows up in the group . Odd. > > > > (and yes, I

Re: [Freeipa-users] getent passwd / group

On Mon, Oct 27, 2014 at 11:38:14PM +, Craig White wrote: > RHEL 6.5 - new install > ipa-server-3.0.0-42.el6.x86_64 > 389-ds-base-1.2.11.15-47.el6.x86_64 > > On the master, I get nothing > > [root@ipa001 log]# getent passwd admin We need to debug this one. I suspect DNS.. > [root@ipa001 log]

Re: [Freeipa-users] Centos IPA Client fails after upgrade to 6.6

> On 31 Oct 2014, at 02:23, David Taylor wrote: > > I just recently updated one of our test servers from CentOS 6.5 to CentOS > 6.6, after which I noticed that IPA logons were no longer available. From > what I can see the upgrade includes quite a few changes with regard to sssd. > > -

Re: [Freeipa-users] Centos IPA Client fails after upgrade to 6.6

On Wed, Nov 05, 2014 at 02:30:55AM +, David Taylor wrote: > Thanks for the reply. The PAM file is pretty stock for a centos build > > #%PAM-1.0 > # This file is auto-generated. > # User changes will be destroyed the next time authconfig is run. > authrequired pam_env.so > auth

Re: [Freeipa-users] Centos IPA Client fails after upgrade to 6.6

I’m > > guessing it is an issue with the upgrade scripts. > > > > > > > > > > > > Best regards > > > > *David Taylor* > > > > *From:* Michael Lasevich [mailto:mlasev...@gmail.com] > > *Sent:* Friday, 7 November 2014 4:00 PM > > *To:* Jakub Hroze

Re: [Freeipa-users] unable to sudo

On Thu, Nov 06, 2014 at 07:27:04PM +, Craig White wrote: > -Original Message- > From: Lukas Slebodnik [mailto:lsleb...@redhat.com] > Sent: Thursday, November 06, 2014 9:34 AM > To: Craig White > Cc: t...@tetrioncapital.com; freeipa-users@redhat.com > Subject: Re: [Freeipa-users] unable

Re: [Freeipa-users] Centos IPA Client fails after upgrade to 6.6

On Fri, Nov 07, 2014 at 04:00:19PM -0800, Michael Lasevich wrote: > Exactly 16 hours after reboot the problem returned on both servers. What > has a 16 hour timeout? > > I set log level to 10 and got some logs, but they are long and not sure > what I am looking for. I am attaching some logs ( out

Re: [Freeipa-users] Free ipa Configurations

On Mon, Nov 10, 2014 at 12:56:00PM +0100, Martin Kosek wrote: > On 11/10/2014 02:05 AM, Rolf Nufable wrote: > > Hello > > > > I have tons of questions on why free ipa wont't work on my network , I've > > been using fedora 20 as the os for the server and client free ipa . > > > > I deployed free

Re: [Freeipa-users] Free ipa Configurations

? > > In any case, it is still hard to advise as I still did not see any related > logs, error messages or actual real errors preventing you from enrolling > FreeIPA. > > Thanks, > Martin > > > > > > > TIA > > > > > > > > On Monday,

Re: [Freeipa-users] Free ipa Configurations

doras you can use "ipa" sudo > >> provider. Actually, FreeIPA 4.0+ clients do that for you. > >> > >> More info here: > >> https://www.freeipa.org/images/7/77/Freeipa30_SSSD_SUDO_Integration.pdf > >> https://fedorahosted.org/freeipa/ticket/3358 &g

Re: [Freeipa-users] Centos IPA Client fails after upgrade to 6.6

On Mon, Nov 10, 2014 at 09:29:04AM -0800, Michael Lasevich wrote: > I can certainly try, it would need to be compatible with CentOS 6.6 though. > > -M Thank you very much, can you try these packages? Please note they wouldn't fix your problem, but will hopefully shed some more light on what's go

Re: [Freeipa-users] Group membership not populated

On Fri, Nov 14, 2014 at 12:10:59PM +, Darren Poulson wrote: > Hi, > > I'm currently having an issue where if I log in as a user on a freshly > rebooted machine, their group membership is not populated, so things like > sudo do not work properly. If I do a getent group , log out and log > ba

Re: [Freeipa-users] Group membership not populated

On Fri, Nov 14, 2014 at 03:07:29PM +, Darren Poulson wrote: > > From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] > > on behalf of Jakub Hrozek [jhro...@redhat.com] > > Sent: 14 November 2014 14:56 > > To: freeipa-users@redhat.com > > Subj

Re: [Freeipa-users] Group membership not populated

On Fri, Nov 14, 2014 at 03:38:47PM +, Darren Poulson wrote: > > > > > OK, if the user is a direct member of the groups and the groups are all > > POSIX (=they all have a GID), then I would expect the group membership > > to show all users. > > > > Can you try setting ldap_deref_threshold=0 an

<    1   2   3   4   5   6   7   8   9   >