[Freeipa-users] Quick question regarding modifying attributes

Hi, I have a trusted AD domain that I am enumerating object via IPA. I wanted to know if i should be able to manipulate the uidNumber and gidNumber stored in the default ID view via by using the ldapmodify command, for example, for this DN (not local):

[Freeipa-users] Question regarding modifying attributes

Hi, I have a trusted AD domain that I am enumerating object via IPA. I wanted to know if i should be able to manipulate the uidNumber and gidNumber stored in the default ID view via by using the ldapmodify command, for example, for this DN (not local):

Re: [Freeipa-users] Question regarding modifying attributes

Thank you. Dan > On Apr 27, 2016, at 3:00 PM, Alexander Bokovoy <aboko...@redhat.com> wrote: > > On Wed, 27 Apr 2016, Sullivan, Daniel [AAA] wrote: >> Hi, >> >> I have a trusted AD domain that I am enumerating object via IPA. I >> wanted to know if i sho

Re: [Freeipa-users] Quick question regarding modifying attributes

results, running into some issues but interested in yours and the groups opinion on the viability of this). I appreciate your help. Best, Dan > On Apr 28, 2016, at 11:29 AM, Jakub Hrozek <jhro...@redhat.com> wrote: > > On Wed, Apr 27, 2016 at 06:58:35PM +0000, Sullivan, Daniel [AA

Re: [Freeipa-users] Quick question regarding modifying attributes

t 2:22 AM, Jakub Hrozek <jhro...@redhat.com<mailto:jhro...@redhat.com>> wrote: On Thu, Apr 28, 2016 at 06:31:20PM +, Sullivan, Daniel [AAA] wrote: Jakub, Thank you for your reply. I did not know that the compat tree was populated from sssd; Do you have any experience and or recom

[Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8)

Hi, I am experiencing an HBAC issue that is proving to be very difficult to diagnose. It appears very closely related to the issue described in this thread (https://lists.fedorahosted.org/archives/list/sssd-us...@lists.fedorahosted.org/thread/DTX4LP5VI2AHANMT4QFXERCN7US2TCUB/), except that

Re: [Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8)

Hi, I wanted to follow up on this thread in case others are experiencing this problem. Installing SSSD 1.14 from the copr repository seems to have completely eliminated the HBAC issue on all systems that were exhibiting the problem as previously described.

Re: [Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8)

van, Daniel [AAA] > <dsulliv...@bsd.uchicago.edu> wrote: > > Jakub, Justin, > > Thank you both very much for taking the time to continue helping me resolve > this issue. I apologize for not replying right away; I’ve been dealing with > a production issue for most of t

Re: [Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8)

wrote: >>> On Tue, 12 Jul 2016, Sullivan, Daniel [AAA] wrote: >>>> Justin, >>>> >>>> I really appreciate you taking the time to respond to me. This problem >>>> is driving me crazy and I will certainly take any help I can get. My >&

Re: [Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8)

Jakub, Justin, Thank you both very much for taking the time to continue helping me resolve this issue. I apologize for not replying right away; I’ve been dealing with a production issue for most of the morning. An invocation of ‘id

Re: [Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8)

arting sssd works, but only if individual AD domain members are added to the external group - not AD domain groups. Cheers L. -- The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper On 13 July 2016 at 08:07, Sullivan, Daniel [AAA] <ds

Re: [Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8)

Lukas, Also, I would be interested to have high-level knowledge of known regressions you describe so that we can more quickly identify that we are being impacted by a known issue as we move forward with testing and evaluation of our IPA implementation, particularly if they are missing from the

Re: [Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8)

your thoughts. Best, Dan On Jul 15, 2016, at 6:13 AM, Lukas Slebodnik <lsleb...@redhat.com<mailto:lsleb...@redhat.com>> wrote: On (14/07/16 21:23), Sullivan, Daniel [AAA] wrote: Justin, Thank you for taking the time to reply to me; I really appreciate your willingness to help. Upg

Re: [Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8)

> > On Mon, Jul 18, 2016 at 11:56:24AM +, Sullivan, Daniel [AAA] wrote: >> Hi, Jakub, >> >> In line with your performance tuning document referenced prior in this >> thread, I’ve actually already implemented the three configuration changes >> you specified

Re: [Freeipa-users] non-authoritative tricks for DNS resolution

Would a DNS view (bind) work? http://docstore.mik.ua/orelly/networking_2ndEd/dns/ch10_06.htm Also, depending on what you are using for NAT, some devices will mangle the reply payload of A record lookups as they traverse NAT to avoid haripinning (a packet going out and then back in the same

Re: [Freeipa-users] SSSD with LDAP not showing secondary groups

> 2) ldapsearch -x -b dc=ipa,dc=cri,dc=uchicago,dc=edu Based on that you should be able to tune your LDAP parameters for SSSD. Out of curousity is there any reason you are not using the IPA provider instead of LDAP (in SSSD)? Dan On Jul 16, 2016, at 9:38 PM, Sullivan, Daniel [AAA] &l

Re: [Freeipa-users] SSSD with LDAP not showing secondary groups

Have you tried different settings for ldap_schema (should be easy to test)? http://linux.die.net/man/5/sssd-ldap Dan On Jul 16, 2016, at 4:19 PM, Peter Pakos > wrote: Hi, I'm about to move our FreeIPA platform into production on Monday but I've just

Re: [Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8)

t 7:12 AM, Jakub Hrozek <jhro...@redhat.com<mailto:jhro...@redhat.com>> wrote: On Fri, Jul 15, 2016 at 12:00:56PM +, Sullivan, Daniel [AAA] wrote: Lukas, Thank you for your reply and inquiry. First, to answer your question; yes, we have been using the default_domain_suffix f

Re: [Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8)

),788609341(ic),788646237(adm shpt ocr visitors),788609544(adm-trackittech),788671562(ocr-ocrepic),788652940(dma management) Dan On Jul 15, 2016, at 8:22 AM, Sullivan, Daniel [AAA] <dsulliv...@bsd.uchicago.edu<mailto:dsulliv...@bsd.uchicago.edu>> wrote: Jakub, Sure, no problem

Re: [Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8)

om>> wrote: On Fri, Jul 15, 2016 at 01:22:07PM +, Sullivan, Daniel [AAA] wrote: Jakub, Sure, no problem, I am happy to provide the output that you are requesting. Thank you for taking the time to help me. To answer your question, no record is returned (not missing groups). For examp

Re: [Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8)

unable to lookup this user. I will report back if I find anything meaningful. In the meantime I would appreciate any advisement that could be provided. Thank you for replying to me. Best, Dan Sullivan On Jul 18, 2016, at 3:19 AM, Jakub Hrozek <jhro...@redhat.com<mailto:jhro...@redhat

Re: [Freeipa-users] Questions about 1.14 software bugs

6 at 06:30:22PM +0000, Sullivan, Daniel [AAA] wrote: >> Hi, >> >> I feel like I’ve been warned at least twice that sssd 1.14 has some known >> regressions that make it unstable. We’re in the process of rolling it out >> to our production environment (we can’t use 1.

[Freeipa-users] Questions about 1.14 software bugs

Hi, I feel like I’ve been warned at least twice that sssd 1.14 has some known regressions that make it unstable. We’re in the process of rolling it out to our production environment (we can’t use 1.13 due to another issue); so far it seems pretty stable, although if possible I’d like any

Re: [Freeipa-users] Questions about 1.14 software bugs

be happy to provide any feedback on identified issues. Dan > On Aug 25, 2016, at 3:27 PM, Lukas Slebodnik <lsleb...@redhat.com> wrote: > > On (25/08/16 18:30), Sullivan, Daniel [AAA] wrote: >> Hi, >> >> I feel like I’ve been warned at least twice that sssd 1.