[Freeipa-users] Re: Can’t SSH with AD user to freeipa joined Centos client

2017-08-16 Thread Jakub Hrozek via FreeIPA-users
On Tue, Aug 15, 2017 at 10:05:50PM -0400, Alexandre Pitre wrote: > Hi Alexander, > > You're correct, turns out I wasn't using the correct domain for the > --domain parameter. I thought I was. Here's the command I used. > > ipa-client-install -U -p admin -w Passw0rd! --enable-dns-updates

[Freeipa-users] Re: Why "w" does not list AD users

2017-08-16 Thread Jakub Hrozek via FreeIPA-users
On Wed, Aug 16, 2017 at 01:04:05PM +0530, Supratik Goswami via FreeIPA-users wrote: > I have configured trust between AD and IPA and Linux machines are member of > IPA domain. > When I log into any of the Linux machine and type "w" it does not list the > user AD user with which I just logged in.

[Freeipa-users] Re: Kerberos key having multiple sever entries

2017-08-16 Thread Jakub Hrozek via FreeIPA-users
On Tue, Aug 15, 2017 at 10:23:25PM +, Bhavin Vaidya via FreeIPA-users wrote: > Hello, > > > We have Kerberos authentication failing on our replica server as well as > client. We are also not able to add any more client or replica server. > > > Master FreeIPA server ds01:/etc/krb5.keytab,

[Freeipa-users] Re: Fedora 26 upgrade, mkhomedir stops working

2017-08-14 Thread Jakub Hrozek via FreeIPA-users
On Mon, Aug 14, 2017 at 11:05:23AM -0400, Steve Weeks via FreeIPA-users wrote: > This is what I get in sssd_pam.log: > > [pam_dp_process_reply] (0x0200): received: [6 (Permission denied)][ > ad.example.com] > [pam_reply] (0x0200): pam_reply called with result [6]: Permission denied. > > I don't

[Freeipa-users] Re: ID view is not overriding user attributes

2017-08-10 Thread Jakub Hrozek via FreeIPA-users
(Thu Aug 10 02:47:25 2017) [sssd[be[ipa.corp.example.com]]] [sdap_get_tgt_recv] (0x0400): Child responded: 14 [Client not found in Kerberos database], expired on [0] (Thu Aug 10 02:47:25 2017) [sssd[be[ipa.corp.example.com]]] [sdap_kinit_done] (0x0100): Could not get TGT: 14 [Bad address] (Thu

[Freeipa-users] Re: Unable to login with AD users

2017-08-10 Thread Jakub Hrozek via FreeIPA-users
> On 10 Aug 2017, at 20:15, Eddleman, David via FreeIPA-users > wrote: > > >This probably means the user can’t be resolved at all, so the authentication > >process doesn’t even make it to the PAM phase. Does ‘getent passwd > >user@domainfqdn’ work? >

[Freeipa-users] Re: Can’t SSH with AD user to freeipa joined Centos client

2017-08-14 Thread Jakub Hrozek via FreeIPA-users
> On 12 Aug 2017, at 20:14, Alexander Bokovoy via FreeIPA-users > wrote: > > To close this thread, I helped Alexandre on the IRC. The basic issue is > that one needs to plan domain space carefully when using trust to AD. > Active Directory is more than

[Freeipa-users] Re: Cannot get a second FreeIPA client authentication working.

2017-07-14 Thread Jakub Hrozek via FreeIPA-users
On Fri, Jul 14, 2017 at 09:57:44AM +1200, Patrick McHale via FreeIPA-users wrote: > Hi, > > > > I have had a success with installing the FreeIPA system but I needed to add > another client in order to reproduce the steps required for > > building a client to authenticate with the server. I

[Freeipa-users] Re: Unable to login as user

2017-07-14 Thread Jakub Hrozek via FreeIPA-users
On Fri, Jul 14, 2017 at 02:02:03AM -, patrick.mchale--- via FreeIPA-users wrote: > Hi, > > I am getting an error logging into a FreeIPA server from a new FreeIPA > client. I have reset the password for the user using "kinit admin" but still > no joy. Is there another password that is

[Freeipa-users] Re: Unable to login as user

2017-07-14 Thread Jakub Hrozek via FreeIPA-users
On Fri, Jul 14, 2017 at 08:10:39AM +, Callum Guy via FreeIPA-users wrote: > Hi Jakub, > > Apologies for hijacking the thread but you reminded me of a longstanding > issue - I can't manually use kinit on my client nodes. As I operate a jump > server that means I get a ticket on first login but

[Freeipa-users] Re: sssd went away, failed to restart

2017-07-13 Thread Jakub Hrozek via FreeIPA-users
Pavel, I think this looks a bit similar to https://bugzilla.redhat.com/show_bug.cgi?id=1466934 do you agree? Do you have some suggestion to increase the wait timeout in case the services are restarted? On Thu, Jul 13, 2017 at 08:41:58AM +0200, Harald Dunkel wrote: > Hi Jakub, > > it happened

[Freeipa-users] Re: krb won't failover to alternative servers

2017-07-10 Thread Jakub Hrozek via FreeIPA-users
On Mon, Jul 10, 2017 at 02:10:48PM +, pgb205 via FreeIPA-users wrote: > > > > we have 4 servers for redundancy in krb5.confkdc= server1kdc= server2kdc= > server3kdc= >

[Freeipa-users] Re: [SSSD-users] Re: 1.15.3/1.16 release timeframe?

2017-07-10 Thread Jakub Hrozek via FreeIPA-users
On Tue, Jul 04, 2017 at 12:38:46AM +0300, Timo Aaltonen wrote: > On 31.05.2017 10:53, Jakub Hrozek wrote: > > On Wed, May 31, 2017 at 08:19:56AM +1000, Lachlan Musicman wrote: > >> Hi all, > >> > >> I noticed a while ago that 1.15.3 was versioned in the repo but I've not > >> seen anything

[Freeipa-users] Re: Two way trust problem

2017-07-21 Thread Jakub Hrozek via FreeIPA-users
On Fri, Jul 21, 2017 at 05:53:57AM -0400, Steve Weeks via FreeIPA-users wrote: > Looks like I got the rootDSE, 109 lines of information and got the > following at the end. I don't know much about ldap so I'm guessing this > was successful Yes, so the trust indeed works. >. And, yes I did get a

[Freeipa-users] Announcing SSSD 1.15.3

2017-07-25 Thread Jakub Hrozek via FreeIPA-users
SSSD 1.15.3 === The SSSD team is proud to announce the release of version 1.15.3 of the System Security Services Daemon. The tarball can be downloaded from https://releases.pagure.org/SSSD/sssd/ RPM packages will be made available for

[Freeipa-users] Re: diskless workstations in an IPA domain

2017-07-24 Thread Jakub Hrozek via FreeIPA-users
On Fri, Jul 21, 2017 at 05:12:20PM +0200, Jacquelin Charbonnel wrote: > Hi everybody, > > At now, I enroll diskless Fedora26 workstations (with stateless Linux) > into > my IPA domain. > Inside the readonly root image, /etc/sysconfig/selinux points : > > SELINUX=disabled >

[Freeipa-users] Re: Can’t SSH with AD user to freeipa joined Centos client

2017-07-27 Thread Jakub Hrozek via FreeIPA-users
On Thu, Jul 27, 2017 at 02:34:06AM -0400, Alexandre Pitre via FreeIPA-users wrote: > I uploaded krb5_child.log and ldap_child.log to > https://1drv.ms/f/s!AlZwwyQE2ZZ5p2b5ROa15PBkAEQD I think the child just times out during TGT validation, see: (Thu Jul 27 06:01:20 2017)

[Freeipa-users] Re: Krb5.conf only sees first two kdc servers

2017-07-27 Thread Jakub Hrozek via FreeIPA-users
On Thu, Jul 27, 2017 at 02:15:33AM +, Michael Papet via FreeIPA-users wrote: > >If the _srv_ is enabled then am i correct in assuming that we wouldn't even > >need kdc= records in krb5.conf ??>I tried removing kdc= linesand was unable > >to authenticate. > In my experience, sssd relies upon

[Freeipa-users] Re: Krb5.conf only sees first two kdc servers

2017-07-27 Thread Jakub Hrozek via FreeIPA-users
On Thu, Jul 27, 2017 at 02:19:38PM +, pgb205 via FreeIPA-users wrote: > Jacub, yes we do have a one way trust between AD->FreeIPA. That explainswhy > krb5.conf is used instead of the sssd.conf _srv_ to retrieve DNS records. > Can you also please comment on why I'm only getting lookups on the

[Freeipa-users] Re: AD trust setup woes

2017-07-26 Thread Jakub Hrozek via FreeIPA-users
On Tue, Jul 25, 2017 at 10:12:38AM -0400, Jason Hensley via FreeIPA-users wrote: > On Tue, Jul 25, 2017 at 2:29 AM, Jakub Hrozek via FreeIPA-users < > freeipa-users@lists.fedorahosted.org> wrote: > > > On Mon, Jul 24, 2017 at 04:25:14PM -0400, Jason Beck via FreeIPA-users &g

[Freeipa-users] Re: AD trust setup woes

2017-07-25 Thread Jakub Hrozek via FreeIPA-users
4, 2017 at 01:53:20PM -0400, Jason Beck wrote: > >> > On Mon, Jul 24, 2017 at 9:25 AM, Jakub Hrozek <jhro...@redhat.com> > >> wrote: > >> > > >> > > On Mon, Jul 24, 2017 at 09:05:59AM -0400, Jason Beck wrote: > >> > > > On

[Freeipa-users] Re: AD trust setup woes

2017-07-24 Thread Jakub Hrozek via FreeIPA-users
On Fri, Jul 21, 2017 at 03:43:58PM -0400, Jason Beck via FreeIPA-users wrote: > I have been trying to reliably get an AD trust setup for a few weeks and no > matter what I try, when I goto add AD users to an external group in > FreeIPA, I get: > > "trusted domain object not found" > > Googling

[Freeipa-users] Re: Two way trust problem

2017-07-20 Thread Jakub Hrozek via FreeIPA-users
On Thu, Jul 20, 2017 at 12:20:31PM -0400, Steve Weeks via FreeIPA-users wrote: > We've setup a two-way trust with AD and it seems to have worked, but it > doesn't look like it is working correctly. > > The kerberos commands (kinit and kvno) work fine, but things like 'id >

[Freeipa-users] Re: AD trust setup woes

2017-07-24 Thread Jakub Hrozek via FreeIPA-users
On Mon, Jul 24, 2017 at 09:05:59AM -0400, Jason Beck wrote: > On Jul 24, 2017 4:14 AM, "Jakub Hrozek via FreeIPA-users" < > freeipa-users@lists.fedorahosted.org> wrote: > > > On Fri, Jul 21, 2017 at 03:43:58PM -0400, Jason Beck via FreeIPA-users > > wrote: >

[Freeipa-users] Re: { possibly offtopic } -- can sssd.conf alone be configured to copy the custom AD ID Ranges used by IPA server?

2017-06-28 Thread Jakub Hrozek via FreeIPA-users
On Wed, Jun 28, 2017 at 01:03:45PM -0400, Chris Dagdigian via FreeIPA-users wrote: > Hi folks, > > > I have a set of servers that CANNOT become enrolled IDM clients due to a > vendor refusing to support this type of config. > > This server fleet is directly bound to an AD system via the

[Freeipa-users] Re: { possibly offtopic } -- can sssd.conf alone be configured to copy the custom AD ID Ranges used by IPA server?

2017-06-29 Thread Jakub Hrozek via FreeIPA-users
On Thu, Jun 29, 2017 at 08:41:25AM -0400, Chris Dagdigian wrote: > Jakub Hrozek via FreeIPA-users wrote: > > If not, have you considered pointing the clients towards the compat tree > > and using a plain LDAP setup, if your vendor supports that? > > > Appreciate the r

[Freeipa-users] Re: (no subject)

2017-06-28 Thread Jakub Hrozek via FreeIPA-users
On Wed, Jun 28, 2017 at 07:04:58AM -0700, Sean Hogan via FreeIPA-users wrote: > > Hi All, > > We are having an issue performing RHEL 6.6 to 6.7 upgrade with SSSD. The > systems are already enrolled and working in IPA 3.0.0-50 using 6.6 client. > We yum update and sssd gives this >

[Freeipa-users] Re: SUDO Rules not getting processed

2017-08-04 Thread Jakub Hrozek via FreeIPA-users
On Fri, Aug 04, 2017 at 09:05:20AM -0300, Felipe Barreto Volpone via FreeIPA-users wrote: > Hi Alka, > > I think you can get useful info here: https://www.redhat.com/ > archives/freeipa-users/2017-May/msg00028.html Also this might be useful to pinpoint the issue:

[Freeipa-users] Re: AD trust setup woes

2017-08-01 Thread Jakub Hrozek via FreeIPA-users
On Tue, Aug 01, 2017 at 11:20:16AM -, Igor Sever via FreeIPA-users wrote: > I have the same error. > I established two-way trust with AD which went fine. > Authentication with Kerberos to AD is working. > Since I have one test FreeIPA which is working correctly (relatively) I > compared logs

[Freeipa-users] Re: AD trust setup woes

2017-08-02 Thread Jakub Hrozek via FreeIPA-users
On Wed, Aug 02, 2017 at 11:40:46AM -, Igor Sever via FreeIPA-users wrote: > There is no gidNumber attribute on AD group objects. If I want to apply > posix attributes directly in AD, then I don't need FreeIPA, do I... Many users and customers have an existing environment where some machines

[Freeipa-users] Re: Show AD groups members from command line

2017-08-09 Thread Jakub Hrozek via FreeIPA-users
> On 9 Aug 2017, at 17:21, Steve Weeks via FreeIPA-users > wrote: > > I can use 'id ad_user@ad_domain' command to see what groups an ad_user is a > member of. > > Is there a way from the Linux command line to see who are the member of >

[Freeipa-users] Re: Unable to login with AD users

2017-08-09 Thread Jakub Hrozek via FreeIPA-users
> On 8 Aug 2017, at 16:58, Eddleman, David via FreeIPA-users > wrote: > > Hello, > > I have created a FreeIPA solution using Red Hat’s IDM product. > FreeIPA version: 4.5.0 > OS version: RHEL 7.4 > > I have successfully installed the server portion and

[Freeipa-users] Re: Can’t SSH with AD user to freeipa joined Centos client

2017-08-09 Thread Jakub Hrozek via FreeIPA-users
> On 9 Aug 2017, at 16:26, Alexandre Pitre wrote: > > If your hosts are in the IPA subdomain, then I would have expected > centos.ipa.ad.com > > The centos client has a hostname set to centos.domain.ad.com >

[Freeipa-users] Re: ID view is not overriding user attributes

2017-08-09 Thread Jakub Hrozek via FreeIPA-users
> On 9 Aug 2017, at 14:37, Supratik Goswami via FreeIPA-users > wrote: > > Can someone please help me to figure out the issue? > > Please let me know if any other information is required > Describing how you set up the idview and providing SSSD logs is

[Freeipa-users] Re: ID view is not overriding user attributes

2017-08-09 Thread Jakub Hrozek via FreeIPA-users
> On 9 Aug 2017, at 16:02, Supratik Goswami via FreeIPA-users > wrote: > > (Wed Aug 9 13:58:13 2017) [sssd[be[ipa.corp. > example .com > ]]] [acctinfo_callback]

[Freeipa-users] Re: Can’t SSH with AD user to freeipa joined Centos client

2017-08-09 Thread Jakub Hrozek via FreeIPA-users
> On 7 Aug 2017, at 20:02, Alexandre Pitre via FreeIPA-users > wrote: > > The client is in the IPA domain. Although it's sub-domain of ad.com > , I did delegate it and configure the IPA servers as name > servers. It uses a different

[Freeipa-users] Re: Unable to SSH into Linux machine using AD user

2017-08-07 Thread Jakub Hrozek via FreeIPA-users
> On 7 Aug 2017, at 10:42, Supratik Goswami wrote: > > SSSD version: sssd-1.13.0-40.7.amzn1.x86_64 > Linux OS: Amazon Linux > > I am seeing only these messages repeated continuously. > > (Mon Aug 7 08:37:49 2017) [sssd[be[ipa.corp.example.com >

[Freeipa-users] Re: Can’t SSH with AD user to freeipa joined Centos client

2017-08-06 Thread Jakub Hrozek via FreeIPA-users
> On 4 Aug 2017, at 23:08, Alexandre Pitre via FreeIPA-users > wrote: > > Turns out, I'm still getting the same problem. It works right away after I > force clean the sssd cache: systemctl stop sssd ; rm -f /var/lib/sss/db/* > /var/log/sssd/* ; systemctl

[Freeipa-users] Re: Unable to SSH into Linux machine using AD user

2017-08-07 Thread Jakub Hrozek via FreeIPA-users
> On 7 Aug 2017, at 07:38, Supratik Goswami via FreeIPA-users > wrote: > > Judging by: (Mon Aug 7 05:30:14 2017) [[sssd[krb5_child[26789 [create_ccache] (0x0020): 735: [13][Permission denied] I would check the permissions on the /tmp directory.

[Freeipa-users] Re: Unable to SSH into Linux machine using AD user

2017-08-07 Thread Jakub Hrozek via FreeIPA-users
Which sssd version is this on what OS? stracing the sssd processes might help, using this in the [domain] section: command = strace -ff -o /tmp/sssd_be_strace /usr/libexec/sssd/sssd_be --debug-level=10 --domain ipa.example.com --uid=0 --gid=0 (You’d need to substitute ipa.example.com

[Freeipa-users] Re: FreeIPA AD Trust. Clarifying Doubts before I proceed

2017-08-07 Thread Jakub Hrozek via FreeIPA-users
> On 7 Aug 2017, at 07:01, Sameer Gurung via FreeIPA-users > wrote: > > Hi All, > > I have a network consisting of both windows and linux clients running windows > server 2008 (active directory) and centos 7 (freeipa). Obviously, the windows > clients

[Freeipa-users] Re: Can’t SSH with AD user to freeipa joined Centos client

2017-08-07 Thread Jakub Hrozek via FreeIPA-users
> On 7 Aug 2017, at 18:11, Alexandre Pitre wrote: > > Clearing the sssd cache make the AD login works for a short while, it's > probably not necessary nor "production" ready. Looking at > /var/log/sssd/sssd_domain.ad.com . Sure, but

[Freeipa-users] Re: Why "w" does not list AD users

2017-08-18 Thread Jakub Hrozek via FreeIPA-users
On Fri, Aug 18, 2017 at 11:41:02AM +0530, Supratik Goswami wrote: > Hi Jakub > > I was trying to login to the box as usern...@addomain.com > . > > After some research I came across this post https://www.freeipa.org/ > page/V4/AD_User_Short_Names and I am able to

[Freeipa-users] Re: Why "w" does not list AD users

2017-08-18 Thread Jakub Hrozek via FreeIPA-users
On Fri, Aug 18, 2017 at 03:09:05PM +0530, Supratik Goswami wrote: > > > > What do you mean by user ID? The numeric UID? How do you invoke ps? > > > Yes, numeric UID. When I type "ps aux" I get the following output > > 1759001108 2375 0.0 0.4 146900 4084 ?S08:55 0:00 sshd: >

[Freeipa-users] Re: AD-Trust users not known

2017-08-18 Thread Jakub Hrozek via FreeIPA-users
On Fri, Aug 18, 2017 at 12:00:45PM +0200, Michael Gusek via FreeIPA-users wrote: > Hi, > > for testing i've installed an FreeIPA-Server with a trust to an > AD-Server. On IdM i can resolve AD-users with 'id usern...@example.com', > on IdM member client not. > > AD-Domain is Server 2012R2 as

[Freeipa-users] Re: Why "w" does not list AD users

2017-08-18 Thread Jakub Hrozek via FreeIPA-users
e_timeout = 60 > [pam] > > [sudo] > > [autofs] > > [ssh] > > [pac] > > [ifp] > > On Fri, Aug 18, 2017 at 7:28 PM, Supratik Goswami <supratiksek...@gmail.com> > wrote: > > > > > > > On Fri, Aug 18, 2017 at 7:20 PM, Jakub Hroz

[Freeipa-users] Re: annoying messages systemd: pam_sss(systemd-user:account): Access denied for user (Permission denied)

2017-08-18 Thread Jakub Hrozek via FreeIPA-users
On Fri, Aug 18, 2017 at 03:44:17PM +0200, Kees Bakker via FreeIPA-users wrote: > Hi, > > This is on Ubuntu 16.04 systems configured as FreeIPA clients. Logging in > through ssh > is successful. But in /var/log/auth.log there are annoying messages like this: > > Aug 18 15:38:02 client1

[Freeipa-users] Re: Why "w" does not list AD users

2017-08-18 Thread Jakub Hrozek via FreeIPA-users
On Fri, Aug 18, 2017 at 07:13:13PM +0530, Supratik Goswami via FreeIPA-users wrote: > When executed in the server I get the below logs > > (Fri Aug 18 08:18:26 2017) [sssd[nss]] [orderly_shutdown] (0x0010): > SIGTERM: killing children > (Fri Aug 18 08:20:04 2017) [sssd[nss]] [orderly_shutdown]

[Freeipa-users] Re: Why "w" does not list AD users

2017-08-18 Thread Jakub Hrozek via FreeIPA-users
On Fri, Aug 18, 2017 at 05:59:13PM +0530, Supratik Goswami wrote: > In server the ps version is procps-ng version 3.3.10 > In the other boxes ps version is procps version 3.2.8 This doesn't matter, the issue is that getpwuid() calls are not working. I suspect the same happens if you own a file by

[Freeipa-users] Re: Compat tree question

2017-05-31 Thread Jakub Hrozek via FreeIPA-users
On Tue, May 30, 2017 at 09:27:05PM +0300, Alexander Bokovoy via FreeIPA-users wrote: > On ti, 30 touko 2017, Robert Johnson via FreeIPA-users wrote: > > So I took a brand new user that I have never used in the system before (I > > checked that the entry was not in the compat tree) and just ran an

[Freeipa-users] Re: [Freeipa-users]SSH Key replication time/issues

2017-05-31 Thread Jakub Hrozek via FreeIPA-users
On Tue, May 30, 2017 at 02:18:18PM -0400, Jake via FreeIPA-users wrote: > Looks like this is applied immediately, but required a service sssd restart; > sss_cache -E This shouldn't be the case, can you describe step-by-step what exactly are you doing, what are the unexpected results and what do

[Freeipa-users] Re: ipa-client-install combined with 'authconfig --enablenis --update'

2017-06-01 Thread Jakub Hrozek via FreeIPA-users
On Wed, May 31, 2017 at 08:56:44PM -, paul--- via FreeIPA-users wrote: > Hi Jakub, > Thanks for clearing this out and pointing out ypbind is the wrong direction. > What do you mean with 'the workaround'? Do mean use of 'authconfig > --enablenis --update'? > The combination of Centos 7.3 with

[Freeipa-users] Re: Get rid of manually calling kinit with SSSD

2017-05-31 Thread Jakub Hrozek via FreeIPA-users
On Wed, May 31, 2017 at 02:36:58PM +0200, Ronald Wimmer via FreeIPA-users wrote: > On 2017-05-31 13:25, Sumit Bose via FreeIPA-users wrote: > > On Wed, May 31, 2017 at 11:24:48AM +0200, Ronald Wimmer via FreeIPA-users > > wrote: > > > Hi, > > > > > > I read Jakub Hrozeks post > > >

[Freeipa-users] Re: Access issues with SSH/IPA

2017-06-15 Thread Jakub Hrozek via FreeIPA-users
On Thu, Jun 15, 2017 at 04:28:13AM -, john.bowman--- via FreeIPA-users wrote: > After upping the log levels on sssd on one of the failing servers I saw this > in one of the sssd log files: > > from sssd_pamd.log: > > (Wed Jun 14 23:16:05 2017) [sssd[pam]] [sss_ncache_check_str] (0x2000):

[Freeipa-users] Re: Access issues with SSH/IPA

2017-06-15 Thread Jakub Hrozek via FreeIPA-users
On Thu, Jun 15, 2017 at 01:07:27PM -, john.bowman--- via FreeIPA-users wrote: > You'll have to forgive my ignorance here since I'm still fairly new to IPA > and fortunately haven't run in to many issues as of yet. > > The three IPA 3.0 servers all have what look to be following conflicts:

[Freeipa-users] Re: Access issues with SSH/IPA

2017-06-16 Thread Jakub Hrozek via FreeIPA-users
On Thu, Jun 15, 2017 at 05:15:41PM -, john.bowman--- via FreeIPA-users wrote: > Which path would be better? Upgrading sssd on the older machines or > attempting to delete the ldap entries? I think you want to fix the server side, upgrading sssd is just a quick kludge to let you access

[Freeipa-users] Re: Solaris client proxyDN logins not working

2017-09-14 Thread Jakub Hrozek via FreeIPA-users
On Thu, Sep 14, 2017 at 11:08:54AM -0400, Rob Crittenden via FreeIPA-users wrote: > Louis Abel via FreeIPA-users wrote: > > I should probably mention that IPA users have started working. But not my > > AD users. > > > > [root@rhn2 tmp]# ssh -l louis.ab...@ipa.example.com devu16 -q > > Password:

[Freeipa-users] Re: Solaris client proxyDN logins not working

2017-09-16 Thread Jakub Hrozek via FreeIPA-users
> On 15 Sep 2017, at 01:25, Louis Abel via FreeIPA-users > wrote: > > Thank you for pointing that out. I've put sssd into debug to see what I can > find. Is there anything specific I should look for in the logs? Or is there > anything specific I can put

[Freeipa-users] Re: Can't log on using password when /tmp is full

2017-09-19 Thread Jakub Hrozek via FreeIPA-users
On Mon, Sep 18, 2017 at 05:11:09PM +0200, Marius Bjørnstad via FreeIPA-users wrote: > Hi, > > When /tmp is full, it is impossible to authenticate with Kerberos. Login with > password over SSH and sudo don't work. Login with ssh key works fine. Here is > the output in the system log when I try

[Freeipa-users] Re: Can't log on using password when /tmp is full

2017-09-20 Thread Jakub Hrozek via FreeIPA-users
On Tue, Sep 19, 2017 at 04:25:21PM -0400, Simo Sorce wrote: > On Tue, 2017-09-19 at 20:27 +0200, Jakub Hrozek via FreeIPA-users > wrote: > > On Mon, Sep 18, 2017 at 05:11:09PM +0200, Marius Bjørnstad via > > FreeIPA-users wrote: > > > Hi, > > > >

[Freeipa-users] Re: IPA sudo rules CentOS 6 vs CentOS 7

2017-09-13 Thread Jakub Hrozek via FreeIPA-users
On Wed, Sep 13, 2017 at 11:05:25PM +0300, Alexander Bokovoy via FreeIPA-users wrote: > On ke, 13 syys 2017, Mark Haney via FreeIPA-users wrote: > > On 09/13/2017 03:44 PM, Răzvan Corneliu C.R. VILT via FreeIPA-users wrote: > > > Hi Mark, > > > > > > Not all CentOS releases are created equal.

[Freeipa-users] Re: Solaris client proxyDN logins not working

2017-09-14 Thread Jakub Hrozek via FreeIPA-users
On Thu, Sep 14, 2017 at 06:28:50PM -, Louis Abel via FreeIPA-users wrote: > Jakub, you might be onto something. > > Sep 14 18:11:08 pentl01.ipa.example.com ns-slapd: pam_sss(system-auth:auth): > authentication failure; logname= uid=389 euid=389 tty= ruser= rhost= >

[Freeipa-users] Re: Proxmox pam authentication

2017-09-07 Thread Jakub Hrozek via FreeIPA-users
On Thu, Sep 07, 2017 at 11:02:50AM +0200, Maciej Drobniuch via FreeIPA-users wrote: > Hey Freeipa users! > > Proxmox supports pam logins from webui and it is debian based. > > I've used the following guide to install freeipa unofficial packages. >

[Freeipa-users] Re: Why "w" does not list AD users

2017-08-29 Thread Jakub Hrozek via FreeIPA-users
On Wed, Aug 23, 2017 at 06:43:04PM +0530, Supratik Goswami wrote: > Hi Jakub > > The logs are captured at the same time from both servers, you are seeing > this difference because of different timezone setting. > IPA server was at EDT and the Linux machine is set to UTC, I have made that > fix

[Freeipa-users] Re: Help: Suddenly not possible to mount nfs4 shares with sec=krb5i

2017-08-29 Thread Jakub Hrozek via FreeIPA-users
On Tue, Aug 29, 2017 at 06:15:46PM +0200, Detlev Habicht via FreeIPA-users wrote: > Thank you, for your answer. > > How can i avoid this mixing of packages? > > Well, i think i have a mix of 7.2, 7.3 and 7.4 (Scientific Linux). :-( > > What can i do to only install 7.2 and the patches for 7.2

[Freeipa-users] Re: sudo policy doesn't work since host is installed with CNAME

2017-08-30 Thread Jakub Hrozek via FreeIPA-users
On Wed, Aug 30, 2017 at 07:21:11PM +, Z D via FreeIPA-users wrote: > Hi there, > > we're using ipa-server-4.4.0 (without its own DNS) and are facing the > situation with A/CNAME host. > > Basically a host is installed with CNAME as the OS, and IPA is aware of only > A record since host is

[Freeipa-users] Re: AD trust setup woes

2017-09-10 Thread Jakub Hrozek via FreeIPA-users
> On 10 Sep 2017, at 16:36, Igor Sever via FreeIPA-users > wrote: > > It looks like my problems with AD trust on server side went away when I > upgraded to FreeIPA 4.5 using Centos 7.4 packages, but unfortunately this is > only half of the way. > I have

[Freeipa-users] Re: sssd suddenly throw system error on Mint 17.3 clients

2017-09-10 Thread Jakub Hrozek via FreeIPA-users
> On 10 Sep 2017, at 06:18, Jochen Hein via FreeIPA-users > wrote: > > Torsten Harenberg via FreeIPA-users > writes: > >> Suddenly, our Linux Mint clients refrain from logging in users and >> throw a system error. I

[Freeipa-users] Re: freeipa sudo expiration

2017-09-05 Thread Jakub Hrozek via FreeIPA-users
On Fri, Sep 01, 2017 at 03:02:34PM -0600, Scott Lucas via FreeIPA-users wrote: > Hi, > > I have a global password policy set for unlimited on expiration date, > however a user who has no issues logging in as himself, got a password > expiration notice when he recently used sudo. I can't seem to

[Freeipa-users] Re: Failure to login on 2/3 of servers after RHEL7.4 upgrade

2017-09-05 Thread Jakub Hrozek via FreeIPA-users
the three machines that is working properly for password > authentication through the web UI I'm reluctant to do so) > > On Tue, Sep 5, 2017 at 2:29 PM, Jakub Hrozek via FreeIPA-users > <freeipa-users@lists.fedorahosted.org> wrote: > > On Tue, Sep 05, 2017 at 02:12:57PM -0400,

[Freeipa-users] Re: Failure to login on 2/3 of servers after RHEL7.4 upgrade

2017-09-05 Thread Jakub Hrozek via FreeIPA-users
On Tue, Sep 05, 2017 at 02:48:59PM -0400, Steve Huston via FreeIPA-users wrote: > On Tue, Sep 5, 2017 at 2:43 PM, Jakub Hrozek via FreeIPA-users > <freeipa-users@lists.fedorahosted.org> wrote: > > - is there a filed called kdcinfo.YOURDOMAIN in /var/lib/sss/pubconf/ ? > >

[Freeipa-users] Re: Restriction for SSH Key per host

2017-09-26 Thread Jakub Hrozek via FreeIPA-users
On Tue, Sep 26, 2017 at 09:54:40AM +, Alessandro Perucchi via FreeIPA-users wrote: > Hello, > > We are using Freeipa to our satisfaction. > > We are trying to create a bastion/jumphost/... and in order to do it, we want > to protect the bastion so that nobody can access it directly (except

[Freeipa-users] Re: Radius authentication trouble

2017-08-24 Thread Jakub Hrozek via FreeIPA-users
On Thu, Aug 24, 2017 at 10:29:35AM -0400, Steve Weeks via FreeIPA-users wrote: > We are running FreeIPA 4.4 on Centos 7 and trying to use radius > authentication. > > Using radtest and radclient work fine and we can authenticate a user. > > The radius proxy and secret are set to match the values

[Freeipa-users] Re: FreeIPA failover not working

2017-08-24 Thread Jakub Hrozek via FreeIPA-users
_lookup_kdc = true rdns = > false ticket_lifetime = 24h forwardable = yes default_ccache_name = > KEYRING:persistent:%{uid} [realms] IPA.EXAMPLE.COM = { pkinit_anchors = > FILE:/etc/ipa/ca.crt } [domain_realm] .ipa.example.com = IPA.EXAMPLE.COM > ipa.example.com = IPA.EXAMPLE.COM | > > R

[Freeipa-users] Re: Centos/Redhat 7.4

2017-08-24 Thread Jakub Hrozek via FreeIPA-users
On Thu, Aug 24, 2017 at 08:18:42AM -0600, Kristian Petersen via FreeIPA-users wrote: > If you are using Samba with FreeIPA, you may want to wait to upgrade to > 7.4. There is a bug in a library that comes with sssd that will break it > for you. RedHat is recommending to wait for now. The only

[Freeipa-users] Re: site server lookup query

2017-08-24 Thread Jakub Hrozek via FreeIPA-users
On Sat, Aug 19, 2017 at 06:41:28AM +, Craig H Silva (CenITex) via FreeIPA-users wrote: > The circumstances/environment are a little unusual. > > We have a secure zone in which Windows AD has read-only domain controllers as > a security measure which we use to authenticate against. The

[Freeipa-users] Re: Why "w" does not list AD users

2017-08-21 Thread Jakub Hrozek via FreeIPA-users
rt > > > dns_discovery_domain = ipadomain.com > > > > > > entry_cache_timeout = 60 > > > [pam] > > > > > > [sudo] > > > > > > [autofs] > > > > > > [ssh] > > > > > > [pac] > > > >

[Freeipa-users] Re: FreeIPA failover not working

2017-08-23 Thread Jakub Hrozek via FreeIPA-users
On Wed, Aug 23, 2017 at 05:13:13PM +0200, Michael Gusek via FreeIPA-users wrote: > Hi, > > we are testing a FreeIPA trust to an Active Directory. Trust itself > works, we are happy. Now we tested a failure on FreeIPA site. We have > two instances, both with same roles. If we poweroff first

[Freeipa-users] Re: cross-forest trust, client system cannot id AD users.

2017-10-19 Thread Jakub Hrozek via FreeIPA-users
On Tue, Oct 17, 2017 at 02:21:07PM -0700, Steve Dainard via FreeIPA-users wrote: > Hello, > > I've installed a 60 day 'self supported' trial of red hat idm on rhel7. > I've created a cross-forest trust with an AD domain (2012R2) which already > has posix attributes in ldap for users and groups. >

[Freeipa-users] Re: Unable to use externa groups or users, truster domain object not found

2017-11-27 Thread Jakub Hrozek via FreeIPA-users
On Tue, Nov 21, 2017 at 01:55:31PM +0100, Henrik Stigendal via FreeIPA-users wrote: > Hello everyone, > > I’m new to this and are trying to setup a working trust against an AD > forrest, I seem to have a working trust but when I try to reference external > groups (or users) I get: > > # ipa

[Freeipa-users] Re: Unable to use externa groups or users, truster domain object not found

2017-12-03 Thread Jakub Hrozek via FreeIPA-users
cifs/adserver.ad2.test@ad2.test.net: kvno = 13 > > >> On 27 Nov 2017, at 14:06, Jakub Hrozek via FreeIPA-users >> <freeipa-users@lists.fedorahosted.org> wrote: >> >> On Tue, Nov 21, 2017 at 01:55:31PM +0100, Henrik Stigendal via FreeIPA-users >>

[Freeipa-users] Re: Unable to use externa groups or users, truster domain object not found

2017-12-13 Thread Jakub Hrozek via FreeIPA-users
On Mon, Dec 11, 2017 at 10:47:44PM +0200, Alexander Bokovoy wrote: > On ma, 11 joulu 2017, Henrik Johansson via FreeIPA-users wrote: > > > > > > > On 11 Dec 2017, at 16:04, Alexander Bokovoy via FreeIPA-users > > > wrote: > > > > > > On ma, 11 joulu 2017,

[Freeipa-users] Re: How to deal with 'su root'

2017-12-19 Thread Jakub Hrozek via FreeIPA-users
On Tue, Dec 19, 2017 at 11:54:12AM +0100, Ronald Wimmer via FreeIPA-users wrote: > We have some users that have ALL sudo permissions. What is the best way of > keeping track of all actions they do after having switched to the root user? > Or would it be better to completely prevent switching to

[Freeipa-users] Re: Freeipa connecting to Redhat IPA server.

2017-12-15 Thread Jakub Hrozek via FreeIPA-users
On Fri, Dec 15, 2017 at 03:16:29PM +1100, Tony Delov via FreeIPA-users wrote: > I've been having difficulties connecting a freeipa-client on Ubuntu 16.06 > LTS, to a Redhat IPA server that has a trusted connection to Microsoft AD > server. > > Ssh authentications are pretty slow, however, once I

[Freeipa-users] Re: User login is slow to get password prompt

2017-12-19 Thread Jakub Hrozek via FreeIPA-users
On Mon, Dec 18, 2017 at 06:59:25PM -0500, Alexandre Pitre via FreeIPA-users wrote: > Hi, > > While troubleshooting "slow login" with ipa users we discovered that adding > these two lines to our clients sssd.conf file fixed our issue for ipa users. > > ldap_search_base =

[Freeipa-users] Re: Invalid ticket for NFS4 mount

2017-11-21 Thread Jakub Hrozek via FreeIPA-users
On Tue, Nov 21, 2017 at 11:45:36AM +0100, Ray via FreeIPA-users wrote: > > > Am 2017-11-21 11:26, schrieb Jakub Hrozek via FreeIPA-users: > > On Tue, Nov 21, 2017 at 08:36:16AM +0100, Ray via FreeIPA-users wrote: > > > Hi, > > > > > > yesterday I no

[Freeipa-users] Re: Invalid ticket for NFS4 mount

2017-11-21 Thread Jakub Hrozek via FreeIPA-users
On Tue, Nov 21, 2017 at 08:36:16AM +0100, Ray via FreeIPA-users wrote: > Hi, > > yesterday I noticed a strange issue on a Centos 7 client running > ipa-client-4.5.0-21.el7.centos.2.2.x86_64: > > My daughter tried to log in to the machine and was kicked out again after > GNOME failed to load

[Freeipa-users] Re: Unexpected ipa usa behaviour

2017-11-21 Thread Jakub Hrozek via FreeIPA-users
On Tue, Nov 21, 2017 at 09:05:29AM +0100, Ronald Wimmer via FreeIPA-users wrote: > Hi, > > in IPA I defined a user called isomeuser. This username does definitely not > exist on the AD side. > > When I log in as root to an IPA client and issue the su command, I am > isomeuser@ad.domain. If I do

[Freeipa-users] Re: Invalid ticket for NFS4 mount

2017-11-21 Thread Jakub Hrozek via FreeIPA-users
On Tue, Nov 21, 2017 at 12:39:00PM +0100, Ray via FreeIPA-users wrote: > > > Am 2017-11-21 11:51, schrieb Jakub Hrozek via FreeIPA-users: > > On Tue, Nov 21, 2017 at 11:45:36AM +0100, Ray via FreeIPA-users wrote: > > > > > > > > > Am 2017-11-21 11:

[Freeipa-users] Re: ldap cache

2017-11-08 Thread Jakub Hrozek via FreeIPA-users
On Wed, Nov 08, 2017 at 03:52:57PM +, Andrew Meyer via FreeIPA-users wrote: > Let's say I have a user that starts today and I forgot to add their > username to FreeIPA.  I add their username and they need to start working > fairly quickly.  I know that I can clear the sudo cache on each server

[Freeipa-users] Re: User login is slow to get password prompt

2017-12-20 Thread Jakub Hrozek via FreeIPA-users
On Tue, Dec 19, 2017 at 04:11:04PM -0500, Alexandre Pitre wrote: > Hi Jakub, > > Thanks for your response. I assume our puppet configuration was incomplete > and ldap_search_base = cn=accounts,dc=ipa,dc=domain,dc=com was left out by > mistake. We're already using the trusted domain section to

[Freeipa-users] Re: Setting up HBAC for external users

2018-05-20 Thread Jakub Hrozek via FreeIPA-users
> On 19 May 2018, at 19:53, Marc Boorshtein via FreeIPA-users > wrote: > > I'm trying to setup an HBAC rule for allowing users from a trust to > access linux servers in a FreeIPA domain. My setup: > > 1. rhelent.lan - FreeIPA 4.5.0-22 > 2.

[Freeipa-users] Announcing SSSD 1.16.2

2018-06-08 Thread Jakub Hrozek via FreeIPA-users
SSSD 1.16.2 === The SSSD team is proud to announce the release of version 1.16.2 of the System Security Services Daemon. The tarball can be downloaded from https://releases.pagure.org/SSSD/sssd/ RPM packages will be made available for Fedora shortly. Feedback Please provide

[Freeipa-users] Re: Cannot log in as an AD user to FreeIPA client but can log in to server

2018-06-07 Thread Jakub Hrozek via FreeIPA-users
On Thu, Jun 07, 2018 at 03:48:16PM -, Bart via FreeIPA-users wrote: > Thank you Alexander, that was the root cause. I added optimizations to my > setup that you together with Jakub described in this article: >

[Freeipa-users] Re: double domain?

2018-06-07 Thread Jakub Hrozek via FreeIPA-users
On Thu, Jun 07, 2018 at 12:33:56PM -0500, Kat via FreeIPA-users wrote: > hi > > Where would be a good place to look in either sssd or somewhere in the > system if we are seeing a mixture of UserID lookups in this format: > > usern...@domain.example.com  <--- this makes sense > > BUT - also

[Freeipa-users] Re: Logon by ssh but not console?

2018-06-03 Thread Jakub Hrozek via FreeIPA-users
> On 3 Jun 2018, at 13:33, Bret Wortman via FreeIPA-users > wrote: > > I just realized that I never closed the loop on this problem and just > finished upgrading all my systems to use our new IPA servers. And this > problem is still with me. > > I can log onto some workstations but not

[Freeipa-users] Re: Cannot log in as an AD user to FreeIPA client but can log in to server

2018-06-05 Thread Jakub Hrozek via FreeIPA-users
On Tue, Jun 05, 2018 at 03:06:44PM -, Bart via FreeIPA-users wrote: > Hi all, > > I've set up two FreeIPA servers without CA (I provided 3rd party certificates > during the installation process). I also established trust to an AD domain as > below: > > ipa trust-add --type=ad AD.DOMAIN

[Freeipa-users] Re: Cannot log in as an AD user to FreeIPA client but can log in to server

2018-06-06 Thread Jakub Hrozek via FreeIPA-users
On Wed, Jun 06, 2018 at 02:30:56PM -, Bart via FreeIPA-users wrote: > Hi Jakub, thank you for help. > > I cannot resolve all of the users nor their groups on a client hosts. getent > passwd doesn't return anything, su - user@ad.domain doesn't work either. > > All AD users I tried get

[Freeipa-users] Re: performance tuning IPA 4.5 and SSD for large AD integration

2018-06-30 Thread Jakub Hrozek via FreeIPA-users
> On 29 Jun 2018, at 16:12, Chris Dagdigian via FreeIPA-users > wrote: > > At long last I've got a brand new IPA cluster running in our AWS footprint > with a modern v4.5.4 install and a proper AD Trust in place to a complex > domain forest > > In my older cluster I made use of a lot of

[Freeipa-users] Re: Any non-root user (ipa) can su / su - to root, when the su/su-i service(s) are not enabled

2018-04-26 Thread Jakub Hrozek via FreeIPA-users
> On 26 Apr 2018, at 18:29, Morgan Cox via FreeIPA-users > wrote: > > Hi. > > I have a test freeipa server setup. > > It is generally working fine, however I have found one major issue. > > Even though a user only has 1 service enabled 'sshd' that user

  1   2   >