Re: [Freeipa-users] Client Host isn't picking up the idduseroverrides
On Wed, Feb 03, 2016 at 11:10:50PM +, Simpson Lachlan wrote: > When my users log into the IPA server, the id user over rides work. > > But they don't when we log into a client host? > > What are we doing wrong? > > The overrides are in the "Default Trust View" so should be applied to all > hosts. > > We are trying to find *why* and *where* this is failing, but without much > success. > > >From what I've read, this should be controlled by the sssd service on the > >host, but if we run sssd -I to watch what happens during a failed login or a > >login that doesn't successfully get the id user over ride applied, we don't > >see any errors or log entries that would indicate why. > > We see this: > > [root@vmts-linux1 ~]# /usr/sbin/sssd -i > [sssd[be[unix.example.org]]] [krb5_auth_store_creds] (0x0010): unsupported > PAM command [249]. > [sssd[be[unix.example.org]]] [krb5_auth_store_creds] (0x0010): password not > available, offline auth may not work. This is unrelated. > > But there isn't anything in any logs that would indicate there's a > communication happening between the host and the server that we can see. > > We have tried sss_cache -E on the host to clear cache, but we still aren't > getting the over rides. If you changed the client override to a non-default one, then you would have to restart the client. Can you enable sssd debugging as per: https://fedorahosted.org/sssd/wiki/Troubleshooting and either send it to the list or if there are confidential information, send it to me directly? (Just note we're attending a conference now, so answers might lag..) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Client Host isn't picking up the idduseroverrides
When my users log into the IPA server, the id user over rides work. But they don't when we log into a client host? What are we doing wrong? The overrides are in the "Default Trust View" so should be applied to all hosts. We are trying to find *why* and *where* this is failing, but without much success. >From what I've read, this should be controlled by the sssd service on the >host, but if we run sssd -I to watch what happens during a failed login or a >login that doesn't successfully get the id user over ride applied, we don't >see any errors or log entries that would indicate why. We see this: [root@vmts-linux1 ~]# /usr/sbin/sssd -i [sssd[be[unix.example.org]]] [krb5_auth_store_creds] (0x0010): unsupported PAM command [249]. [sssd[be[unix.example.org]]] [krb5_auth_store_creds] (0x0010): password not available, offline auth may not work. But there isn't anything in any logs that would indicate there's a communication happening between the host and the server that we can see. We have tried sss_cache -E on the host to clear cache, but we still aren't getting the over rides. Cheers L. This email (including any attachments or links) may contain confidential and/or legally privileged information and is intended only to be read or used by the addressee. If you are not the intended addressee, any use, distribution, disclosure or copying of this email is strictly prohibited. Confidentiality and legal privilege attached to this email (including any attachments) are not waived or lost by reason of its mistaken delivery to you. If you have received this email in error, please delete it and notify us immediately by telephone or email. Peter MacCallum Cancer Centre provides no guarantee that this transmission is free of virus or that it has not been intercepted or altered and will not be liable for any delay in its receipt. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
