Re: [Freeipa-users] Debugging failed password checks (SSH) for AD users at the other end of 1-way trusts
On Thu, Dec 08, 2016 at 11:37:25AM -0500, Chris Dagdigian wrote: > > Massive thank you; will test ASAP. > > We mainly have to support CentOS/RHEL-6 and CentOS/RHEL-7 clients. Is there > any established guidance on upgrading SSSD in these environments? Some sort > of trusted repo where RPMs are bu
Re: [Freeipa-users] Debugging failed password checks (SSH) for AD users at the other end of 1-way trusts
Massive thank you; will test ASAP. We mainly have to support CentOS/RHEL-6 and CentOS/RHEL-7 clients. Is there any established guidance on upgrading SSSD in these environments? Some sort of trusted repo where RPMs are built? I can hit the wiki and website but figured I'd ask as well. Not sure
Re: [Freeipa-users] Debugging failed password checks (SSH) for AD users at the other end of 1-way trusts
On Thu, Dec 08, 2016 at 09:29:34AM -0500, Chris Dagdigian wrote: > > Sumit Bose wrote: > > > > Am I being stupid (again?) Obviously the krb5_validate=false setting > > > > needs > > > > to be fixed. Just not sure if I should work on a fix within 4.2 or > > > > move to > > > > 4.4 and see if
Re: [Freeipa-users] Debugging failed password checks (SSH) for AD users at the other end of 1-way trusts
Sumit Bose wrote: > Am I being stupid (again?) Obviously the krb5_validate=false setting needs > to be fixed. Just not sure if I should work on a fix within 4.2 or move to > 4.4 and see if it gets resolved as part of other changes. The validation issue might have different reasons. One mig
Re: [Freeipa-users] Debugging failed password checks (SSH) for AD users at the other end of 1-way trusts
On Wed, Dec 07, 2016 at 11:34:12AM -0500, Chris Dagdigian wrote: > > Our problem is largely solved but we are using some "do not use in > production!" settings so I wanted to both recap our solution and ask some > follow up questions. > > Our setup: > - > - FreeIPA 4.2 running on Cen
Re: [Freeipa-users] Debugging failed password checks (SSH) for AD users at the other end of 1-way trusts
Our problem is largely solved but we are using some "do not use in production!" settings so I wanted to both recap our solution and ask some follow up questions. Our setup: - - FreeIPA 4.2 running on CentOS-7 in AWS VPC - Edge-case split DNS setup. Our cloud clients are "company
Re: [Freeipa-users] Debugging failed password checks (SSH) for AD users at the other end of 1-way trusts
Confirmed that adding the following to /etc/sssd/ssd.conf on the SERVER fixed SSH password checks on the server itself! ldap_user_principal = nosuchattr subdomain_inherit = ldap_user_principal The core problem does appear to be the "... UPN is quite different" error when we try to login as u
Re: [Freeipa-users] Debugging failed password checks (SSH) for AD users at the other end of 1-way trusts
Sumit, Thank you so much for your assistance and eyeballs on the massive logset. I've repeatedly found the level of support on this list to be fantastic. Some day I'll have enough hands-on experience to repay in kind ... We do actually use a different domain for the clients: Our clients ar
Re: [Freeipa-users] Debugging failed password checks (SSH) for AD users at the other end of 1-way trusts
On Tue, Dec 06, 2016 at 03:17:33PM -0500, List dedicated to discussions about use, configuration and deployment of the IPA server. wrote: > > Appreciate the assistance! > > Is there a better debug level balance than 10 for this sort of situation? > The domain logs were several hundred MBs by the
Re: [Freeipa-users] Debugging failed password checks (SSH) for AD users at the other end of 1-way trusts
2016-12-06
Thread
List dedicated to discussions about use, configuration and deployment of the IPA server.
Appreciate the assistance! Is there a better debug level balance than 10 for this sort of situation? The domain logs were several hundred MBs by the time I started looking for useful info if there is a different level I can use that would better at producing actionable error/log messages I'll
Re: [Freeipa-users] Debugging failed password checks (SSH) for AD users at the other end of 1-way trusts
2016-12-06
Thread
List dedicated to discussions about use, configuration and deployment of the IPA server.
On Tue, Dec 06, 2016 at 12:45:18PM -0500, List dedicated to discussions about use, configuration and deployment of the IPA server. wrote: > > This is a new thread related to one I started today about upgrading FreeIPA > software before continuing troubleshooting work ... > > New post here so
[Freeipa-users] Debugging failed password checks (SSH) for AD users at the other end of 1-way trusts
2016-12-06
Thread
List dedicated to discussions about use, configuration and deployment of the IPA server.
This is a new thread related to one I started today about upgrading FreeIPA software before continuing troubleshooting work ... New post here so I don't pollute the other thread. Looking for additional eyeballs or tips on this ongoing problem. The short summary is we can't check p
