[Freeipa-users] Re: Authenticating users with a different UPN suffix in an AD trust configuration

On 2017-07-06 08:25, Robert Sturrock via FreeIPA-users wrote: [...] We have a test IPA server with HBAC allow_all and we can ssh to it reliably as a regular user, but when we try to ssh as ‘first name.lastname@affiliate’ we see the following exceptions in /var/log/sssd/krb5_child.log: [...]

[Freeipa-users] Re: SUDO Rules not getting processed

Are you 100% sure that you have a line like "sudoers: files sss" in your /etc/nsswitch.conf? Am 7. August 2017 11:10:56 MESZ schrieb Alka Murali via FreeIPA-users : >Hello Team, > >Have checked all the logs, and the SSSD Logs are saying that it is

[Freeipa-users] Re: SSSD Cache and Service Tickets

On 2017-05-26 18:51, Sumit Bose via FreeIPA-users wrote: [...] Did you ‘Allow GSSAPI credential delegation’ in the putty configuration? Additionally the internal Windows Kerberos handling only allows delegation to host which have the ok-to-delegate flag set in the Kerberos service ticket.

[Freeipa-users] Re: How to use automounted home shares?

How do those of you deal with files that should remain per-host (e.g. .bash_history) when using automounted home directories? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to

[Freeipa-users] AIX 7.1 as IPA Client

Does anyone have AIX 7 IPA Clients? Is there also an IPA client installer around or do I have to go through this: https://www.freeipa.org/page/FreeIPAv1:ConfiguringAixClients Regards, Ronald ___ FreeIPA-users mailing list --

[Freeipa-users] Do keytabs expire?

Hi, today I found out that some entries in a keytab file seemed to have expired: Request ticket server HTTP/mwc.linux.mydomain...@linux.mydomain.at kvno 4 not found in keytab; keytab is likely out of date Fetching the keytab again with ipa-getkeytab fixed the problem. But why is this

[Freeipa-users] IPA Vault Feature

Hi, I read about the vault feature in the documentation and installed the feature on my ipa master (ipa-kra-install). However, when I try to access my vault on an ipa client, I get: ipa: INFO: trying https://ipa2.linux.mydomain.at/ipa/session/json ipa: INFO: trying

[Freeipa-users] Re: Is it safe to upgrade to 7.4 ?

I upgraded from 7.3 to 7.4 on CentOS without a single issue. Cheers, Ronald ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

[Freeipa-users] Re: Do keytabs expire?

On 2017-09-19 11:53, Alexander Bokovoy wrote: [...] Please spend some time reading the documentation. It is vast and has a lot of answers to questions people keep asking on these lists. I've already spent some time reading the documentation. Since "ipa-getkeytab" worked I was not aware of the

[Freeipa-users] Re: Do keytabs expire?

command leading to invalidating the keytab on the first two servers if I issue the command on the third? I would really appreciate some clarification here. Regards, Ronald On 2017-09-14 11:46, Alexander Bokovoy wrote: On to, 14 syys 2017, Ronald Wimmer via FreeIPA-users wrote: Hi, today I

[Freeipa-users] Re: Do keytabs expire?

eytab has option '-r' that allows to retrieve existing key if you have enough privileges for that. https://www.freeipa.org/page/V4/Keytab_Retrieval_Management describes this feature. Regards, Ronald On 2017-09-14 11:46, Alexander Bokovoy wrote: On to, 14 syys 2017, Ronald Wimmer via FreeIPA-users wrote:

[Freeipa-users] Re: Apache Group Based Authorization for AD users

On 2017-09-28 11:37, Alexander Bokovoy wrote: You need to define HBAC rules that target system-auth PAM service on this host then. But yes, any practical PAM service would work as long as you have appropriate HBAC rules for this service. Is an HBAC Service in IPA the counterpart to the PAM

[Freeipa-users] Find IPA user or computer account from windows

Is it possible to find an IPA user or computer account from a windows (AD) machine [trust between ipa and ad domain is set up]? If I try that, all i get is a message that no object can be found. Regards, Ronald ___ FreeIPA-users mailing list --

[Freeipa-users] Re: How to deal with 'su root'

On 2017-12-19 12:05, Jakub Hrozek via FreeIPA-users wrote: [...] I think the best practice is to restrict the commands the users can run to a bare minimum. Letting them only through sudo (as opposed to sudo su) has the advantage that sudo sends all commands to the audit subsystem. Also, if

[Freeipa-users] How to deal with 'su root'

We have some users that have ALL sudo permissions. What is the best way of keeping track of all actions they do after having switched to the root user? Or would it be better to completely prevent switching to the root user? (if yes, what would be the recommended way of doing that?) Regards,

[Freeipa-users] Re: Find IPA user or computer account from windows

Is there a chance that this will be implemented at some point in time? My Use Case: I would like to use a System in the IPA domain as Citrix VDA - the Citrix management software can only add computers that can be found by their Windows-based tool. Regards, Ronald

[Freeipa-users] ipa-client-install - sssd.conf

Hi, is there a way to configure parameters in sssd.conf when calling ipa-client-install? It would be very helpful to be able to specify these parameters: [sssd] default_domain_suffix = SOMEDOMAIN [nss] homedir_substring = /home default_shell = /bin/bash default_shell is the most important

[Freeipa-users] Rename HBAC Rule

Is there a way to rename an existing HBAC rule? The WebGUI only offers enable/disable/delete... Regards, Ronald ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to

[Freeipa-users] Best practices for autocreating user home directories when using automount

I am using IPA and the automount feature for user home directories. Where I did not find a suitable solution yet is what to do when a user logs in for the first time. Due to the fact that /home gets mounted on demand none of the pam modules (like pam_oddjob_mkhomedir) seem to work. Is there a

[Freeipa-users] Re: IPA Deployment Recommendations - No. of servers per datacenter

If nobody has an answer here maybe someone has some input on which factors are necessary to do an estimation on how many replicas are needed per datacenter? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an

[Freeipa-users] AD group name replaced by SID

Hi, for demonstration purposes I added two users to an external group that already contained an AD group. The AD group had a human readable name. The users as well. When I removed these two users the AD group name changed from the human  readable name to the group SID. Why did that happen?

[Freeipa-users] Migration from Test to Production

Hi, we have been evaluating FreeIPA for quite a while now on our test setup (1 IPA server, 1 Replica) and are planning to move towards production. Can the whole setup be migrated from an ipa test to an ipa production server? (the ipa 'linux.ourdomain.at' domain should stay the same) Or would

[Freeipa-users] Re: Auto-mounted Home-Directory

Wow! I am impressed. That setting fixed my problem! Thanks a lot! Cheers Ronald On 2018-09-27 20:47, Rob Crittenden wrote: Ronald Wimmer via FreeIPA-users wrote: The home directories of several servers in our company are IPA automounted. About a week ago, this mechanism stopped working

[Freeipa-users] Auto-mounted Home-Directory

The home directories of several servers in our company are IPA automounted. About a week ago, this mechanism stopped working properly on one server. The directory still gets mounted automatically but the permissions are nobody:nobody. I thought restarting idmapd or automount could solve the

[Freeipa-users] Ipsilon - Unauthorized

I set up ipsilon on a separate machine as documented in https://ipsilon-project.org/doc/quickstart-ipa.html When I try to log in with the admin user I get the "Unauthorized" error. The logs say: ==> ssl_error_log <== [Thu Jan 17 09:51:45.555163 2019] [authnz_pam:warn] [pid 5977] [client

[Freeipa-users] Re: Ipsilon - Unauthorized

On 17.01.19 10:09, Alexander Bokovoy wrote: On to, 17 tammi 2019, Ronald Wimmer via FreeIPA-users wrote: I set up ipsilon on a separate machine as documented in https://ipsilon-project.org/doc/quickstart-ipa.html When I try to log in with the admin user I get the "Unauthorized&qu

[Freeipa-users] Re: Vault feature for AD users

Is it true that this feature is only available to native ipa users? On 30.11.18 09:42, Ronald Wimmer via FreeIPA-users wrote: Is there any possibility to use the vault feature for external (AD) users? ___ FreeIPA-users mailing list -- freeipa-users

[Freeipa-users] Re: Migration from Test to Production

On 21.11.18 17:40, Rob Crittenden via FreeIPA-users wrote: [..] Yes, masters are all more or less equal, the difference being whether they run optional services and there are a few roles that only one master has (CRL manager, renewal manager). I still do not have a clear picture. Is it true

[Freeipa-users] Re: Migration from Test to Production

On 19.10.18 14:15, Rob Crittenden via FreeIPA-users wrote: Ronald Wimmer via FreeIPA-users wrote: Hi, we have been evaluating FreeIPA for quite a while now on our test setup (1 IPA server, 1 Replica) and are planning to move towards production. Can the whole setup be migrated from an ipa test

[Freeipa-users] Set up ipa-client via Ansible

Hi, I set up relevant ansible files exaclty like described in: https://www.freeipa.org/page/V4/ClientInstallationWithAnsible#Ansible_ipaclient_module The ipaclient role was fetched from here: https://github.com/freeipa/ansible-freeipa/tree/master/roles Uninstalling an ipaclient works.

[Freeipa-users] Re: Set up ipa-client via Ansible

On 01.03.19 16:49, Thomas Woerner wrote: Hello Ronald, [...] How old is your clone of the ansible-freeipa repository? ipaclient_extraargs was only used in the beginning. ipaclient_principal is the wrong name. Please update your ansible-freeipa clone. Oh my god. You were completely right.

[Freeipa-users] 3rd pary Certificate for HTTP and LDAP

Today I was reading the documentation on https://www.freeipa.org/page/Using_3rd_part_certificates_for_HTTP/LDAP Is the Prerequisite step necessary if the CA (Digicert) is already trusted by the OS? Regards, Ronald ___ FreeIPA-users mailing list --

[Freeipa-users] Re: IPA and legacy systems

I sucessfully registered my server server5.mydomain.at. After setting up an appropriate HBAC rule as well as setting the default domain in the sssd.conf to a.mydomain.at I tried to connect to the server via SSH using: myusern...@mydomain.at This fails because the UPN seems to be picked:

[Freeipa-users] Re: IPA and legacy systems

On 28.01.19 12:36, François Cami wrote: On Mon, Jan 28, 2019 at 12:20 PM Ronald Wimmer via FreeIPA-users wrote: What would be a good solution to add systems where the FQDN cannot be changed? It's a pretty generic question, could you be more specific? Legacy systems are in an AD domain

[Freeipa-users] Re: IPA and legacy systems

On 28.01.19 12:42, Alexander Bokovoy wrote: On ma, 28 tammi 2019, Ronald Wimmer via FreeIPA-users wrote: [...] Is there any experience on how to deal with such a situation? Really depends on where these existing clients are located and what is their function. Do they belong to some other

[Freeipa-users] Re: IPA and legacy systems

On 29.01.19 12:28, Alexander Bokovoy via FreeIPA-users wrote: [...] I think you need to tune sssd configuration here. Sumit or Jakub may have more details on what exact options should be used. Should I contact them directly or are they gonna read this here anyway? I tested an IPA user - that

[Freeipa-users] IPA and legacy systems

What would be a good solution to add systems where the FQDN cannot be changed? Would it make sense to add a second DNS A Record in the IPA domain for each of these systems? Is there any experience on how to deal with such a situation? Thanks a lot in advance! Cheers, Ronald

[Freeipa-users] ID-View for AD group to use GECOS umask

Afaik it should be possible to set a users umask by putting something like "umask=0007" in the GECOS field in combination with pam_umask.so. pam_umask.so seems to be present on our systems. What I do not know is in which file (at which exact position) I would have to put "session optional

[Freeipa-users] Re: Session Recording on RHEL/OL8

On 02.07.19 20:19, Justin Stephenson wrote: [...] Do you see similar failures on RHEL8 with the above session recording configuration? Is the problem specific to IPA client systems? IPA or local user makes no difference. I am getting logged out immediately after successful SSH login. (root

[Freeipa-users] Re: Session Recording on RHEL/OL8

On 04.07.19 13:31, Alexander Bokovoy via FreeIPA-users wrote: On to, 04 heinä 2019, Ronald Wimmer via FreeIPA-users wrote: On 02.07.19 20:19, Justin Stephenson wrote: [...] Do you see similar failures on RHEL8 with the above session recording configuration? Is the problem specific to IPA

[Freeipa-users] Re: Session Recording on RHEL/OL8

On 02.07.19 17:12, Ronald Wimmer via FreeIPA-users wrote: What I did on an OracleLinux 8 beta system (which is an IPA client) was installing the packages tlog and cockpit-session-recording. I do not want to use the cockpit web interface. What are the next steps in order to get session

[Freeipa-users] Session Recording on RHEL/OL8

What I did on an OracleLinux 8 beta system (which is an IPA client) was installing the packages tlog and cockpit-session-recording. I do not want to use the cockpit web interface. What are the next steps in order to get session recording working? Cheers, Ronald

[Freeipa-users] Re: Session Recording on RHEL/OL8

On 02.07.19 17:16, Ronald Wimmer via FreeIPA-users wrote: On 02.07.19 17:12, Ronald Wimmer via FreeIPA-users wrote: What I did on an OracleLinux 8 beta system (which is an IPA client) was installing the packages tlog and cockpit-session-recording. I do not want to use the cockpit web

[Freeipa-users] Can login with non-existing user

I have managed to login to an IPA client with a non-existing user. My AD user is z123...@addomain.mydomain.at and I have created a similar user called i123...@ipadomain.mydomain.at. What happened now is that I could log in with the i-User and what I get to see after logging in is this:

[Freeipa-users] Re: Can login with non-existing user

On 16.04.19 11:29, Sumit Bose via FreeIPA-users wrote: On Tue, Apr 16, 2019 at 11:12:18AM +0200, Ronald Wimmer via FreeIPA-users wrote: On 16.04.19 10:50, Sumit Bose via FreeIPA-users wrote: On Tue, Apr 16, 2019 at 09:06:44AM +0200, Ronald Wimmer via FreeIPA-users wrote: I have managed

[Freeipa-users] Re: Can login with non-existing user

On 16.04.19 10:50, Sumit Bose via FreeIPA-users wrote: On Tue, Apr 16, 2019 at 09:06:44AM +0200, Ronald Wimmer via FreeIPA-users wrote: I have managed to login to an IPA client with a non-existing user. My AD user is z123...@addomain.mydomain.at and I have created a similar user called i123

[Freeipa-users] Re: Use IPA AD users in keycloak

SSSD might be the right way to go. I followed this guide https://github.com/keycloak/keycloak-documentation/blob/master/server_admin/topics/user-federation/sssd.adoc but I am not sure what the output of "sssctl user-checks admin -s keycloak" should be. sssctl user-checks admin -s keycloak

[Freeipa-users] Use IPA AD users in keycloak

Is there a way of using users coming from Active Directory in Keycloak? Cheers, Ronald ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of

[Freeipa-users] Re: Use IPA AD users in keycloak

SSSD seems to work now and I can login to Keycloak with an IPA user. Unfortunately, when trying to use an AD user I get an exception: Aug 20 13:10:46 keycloak-test.linux.mydomain.at standalone.sh[16537]: 13:10:46,967 WARN  [org.keycloak.services] (default task-52) KC-SERVICES0013: Failed

[Freeipa-users] Re: Automounting homeshares partially stopped working

On 22.07.19 17:29, Alexander Bokovoy wrote: [...] It might be related to a recent update: https://support.microsoft.com/en-us/help/4490425/updates-to-tgt-delegation-across-incoming-trusts-in-windows-server If i try to issue the command netdom trust second.mydomain.at

[Freeipa-users] Re: ipa_automount_location

On 27.08.19 14:06, Rob Crittenden via FreeIPA-users wrote: Ronald Wimmer via FreeIPA-users wrote: Is it possible to use multiple automount locations (i.e. sssd.conf containing ipa_automount_location=locationA,locationB)? A location provides the master map so there can be only one. Thanks

[Freeipa-users] ipa_automount_location

Is it possible to use multiple automount locations (i.e. sssd.conf containing ipa_automount_location=locationA,locationB)? Cheers, Ronald ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to

[Freeipa-users] Re: Use IPA AD users in keycloak

On 29.08.19 08:59, Jakub Hrozek via FreeIPA-users wrote: [...] Apparently then are not defined on the server side. btw is ronald.wim...@mydomain.at a user in the trusted domain or the IPA domain? The user comes from a trusted domain where all four attributes exist and have values. When

[Freeipa-users] Re: Use IPA AD users in keycloak

On 28.08.19 08:39, Jakub Hrozek via FreeIPA-users wrote: [...] OK, this is what I would have expected. Is it possible to enable debugging and run the KC operation to see exactly what is being looked up and what fails? (Tue Aug 20 14:09:37 2019) [sssd[ifp]] [ifp_add_ldb_el_to_dict] (0x0400):

[Freeipa-users] Re: Use IPA AD users in keycloak

On 26.08.19 09:26, Jakub Hrozek via FreeIPA-users wrote: [...] Sorry, it's not totally clear to me if all the attributes were mapped to mail by the KC installer or by your snippet? The original config looked like it should after executing keycloak's federation-sssd-setup.sh: [domain

[Freeipa-users] Re: Use IPA AD users in keycloak

On 23.08.19 20:18, Jakub Hrozek via FreeIPA-users wrote: [...] Wait, do they really map all these attributes to mail? This seems wrong, the format is externalname:ldapname and IIRC the last one wins, so the last one is applied and stores mail as telephoneNumber. Sorry. I pasted a config

[Freeipa-users] Re: Can login with non-existing user

On 16.04.19 11:12, Ronald Wimmer via FreeIPA-users wrote: [...] In general default_domain_suffix should not be used anymore, better is to define a domain lookup order on the IPA server. How exactly would I do that? Cheers, Ronald ___ FreeIPA-users

[Freeipa-users] Re: Can login with non-existing user

Sorry for asking. I might have missed to read that part of the official documentation: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/short-names#configuring-clients ___ FreeIPA-users mailing

[Freeipa-users] Re: Can login with non-existing user

Configured it on the ipa server side and it works like a charm! What I am still missing is setting the default shell on the server side as well. I still have to use the default_shell entry in the nss section of sssd.conf to set the shell to /bin/bash for AD users. Cheers, Ronald

[Freeipa-users] Re: Use IPA AD users in keycloak

On 22.08.19 15:57, Jakub Hrozek via FreeIPA-users wrote: [...] As far as I remember, Keycloak uses the D-Bus interface of SSSD to retrieve the user's attribute. Can you check if the ifp service is up and running and if there are any helpful logs in the sssd_ifp.log file? I do not get AD

[Freeipa-users] Re: Use IPA AD users in keycloak

On 23.08.19 15:53, Jakub Hrozek via FreeIPA-users wrote: [...] Hmm, I don't remember from the top of my head which attributes does KC try to fetch, but e-mail sounds like what it would need, at least that's what's most commonly used for claims and such. If you correlate the KC lookup errors

[Freeipa-users] Re: Use IPA AD users in keycloak

On 23.08.19 18:03, Alexander Bokovoy wrote: [...] Is this Keycloak installation done separate from IPA master? If yes, then you need to have ldap_user_extra_attrs on both IPA client where Keycloak runs and on IPA masters that SSSD would talk to to obtain information about AD users. Keycloak

[Freeipa-users] Re: Automounting homeshares partially stopped working

On 22.07.19 17:29, Alexander Bokovoy wrote: [...] It might be related to a recent update: https://support.microsoft.com/en-us/help/4490425/updates-to-tgt-delegation-across-incoming-trusts-in-windows-server I bet we have been struck by that. PuTTY-Settings are correct,

[Freeipa-users] Re: Automounting homeshares partially stopped working

On 23.07.19 09:54, Alexander Bokovoy wrote: On ti, 23 heinä 2019, Ronald Wimmer wrote: On 22.07.19 17:29, Alexander Bokovoy wrote: [...] It might be related to a recent update: https://support.microsoft.com/en-us/help/4490425/updates-to-tgt-delegation-across-incoming-trusts-in-windows-server

[Freeipa-users] Re: Automounting homeshares partially stopped working

Unfortunately, when I try the following on an affected windows machine it does not work: C:\> netdom trust linux.mydomain.at /domain:ad.mydomain.at /EnableTGTDelegation: Yes /verbose Establishing a session with \\ipa1.linux.mydomain.at Reading LSA domain policy information Deleting the

[Freeipa-users] Re: Session Recording on RHEL/OL8

Removing the SendEnv line in /etc/ssh/ssh_config solved the problem. Thanks a lot! ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of

[Freeipa-users] Automounting homeshares partially stopped working

Some days ago a strange problem struck us. When colleagues access a server using an ipa-automounted share from a Windows client they can logon to such a server using a Kerberos ticket but they cannot access their NFS-automounted home-share anymore. When they log on with username/password they

[Freeipa-users] Re: Automounting homeshares partially stopped working

When it does not work I can see the following error in the logs: Jul 18 15:12:49 myservername gssproxy[5592]: (OID: { 1 2 840 113554 1 2 2 }) Unspecified GSS failure.  Minor code may provide more information, No credentials cache found ___

[Freeipa-users] Re: Automounting homeshares partially stopped working

On 23.07.19 15:19, Alexander Bokovoy wrote: netdom trust ad.mydomain.at /domain:linux.mydomain.at /enabletgtdelegation:Yes /verbose I think you are right. This way a domain controller is contacted. But still, I get an "Access is denied.". Presumably I would need an AD admin to issue that

[Freeipa-users] Re: Automounting homeshares partially stopped working

On 23.07.19 16:03, Alexander Bokovoy wrote: On ti, 23 heinä 2019, Ronald Wimmer wrote: On 23.07.19 15:19, Alexander Bokovoy wrote: netdom trust ad.mydomain.at /domain:linux.mydomain.at /enabletgtdelegation:Yes /verbose I think you are right. This way a domain controller is contacted. But

[Freeipa-users] Re: Automounting homeshares partially stopped working

On 23.07.19 16:06, Ronald Wimmer via FreeIPA-users wrote: On 23.07.19 16:03, Alexander Bokovoy wrote: On ti, 23 heinä 2019, Ronald Wimmer wrote: On 23.07.19 15:19, Alexander Bokovoy wrote: netdom trust ad.mydomain.at /domain:linux.mydomain.at /enabletgtdelegation:Yes /verbose I think you

[Freeipa-users] Re: Automounting homeshares partially stopped working

On 22.07.19 16:18, Rob Crittenden wrote: Rolf Linder via FreeIPA-users wrote: Hi all We've seen the same issue at our site too. Kerberos SSO logins do not work for (remote) NFS access anymore. We can access the share when using password login (or after SSO login by using kinit). Any hints

[Freeipa-users] Re: Automounting homeshares partially stopped working

On 22.07.19 16:25, Rob Crittenden wrote: [...] An assumption here since your workflow isn't completely clear but do you actually have a ticket on the Linux machine after sshing in from Windows? Sure seems like you don't. The affected users do not have any Kerberos ticket on the target machine.

[Freeipa-users] IPA domain realms

I have an IPA installation with an AD trust from ipa.mydomain.at to ad.mydomain.at. What is the Realm domains feature for? Is it possible to define an IPA subdomain (e.g. test.ipa.mydomain.at) as an additional realm domain? Will Kerberos and AD trust (configured for ipa.mycomain.at) work for

[Freeipa-users] Could not login with AD user

Today I was not able to log in with an AD user to an IPA client within a test setup. IPA users worked fine. DNS is managed externally. I figured out that the DNS-Record of that particular IPA client has not been created correctly. After having corrected the DNS entry and having dropped the

[Freeipa-users] Re: Could not login with AD user

On one of the IPA servers themselves a getent passwd myadu...@bau.mydomain.at is working. On the system where I cannot login with this user I do not get a result. What do I have to look for in which sssd log file in order to find out what the problem is? Cheers, Ronald

[Freeipa-users] Re: Could not login with AD user

Simply increasing the krb5_auth_timeout in the client's sssd.conf did the trick. Thanks for the good troubleshooting guide at https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html Cheers, Ronald ___ FreeIPA-users mailing list --

[Freeipa-users] Re: Could not login with AD user

The only log entries that appear when a different user tries it do appear in /var/log/secure: Nov  6 10:33:19 ws102317180 sshd[24003]: Invalid user an_ad_u...@bau.mydomain.at from 10.16.11.218 port 60646 Nov  6 10:33:19 ws102317180 sshd[24003]: input_userauth_request: invalid user

[Freeipa-users] Re: Could not login with AD user

On 06.11.19 08:08, Sumit Bose via FreeIPA-users wrote: On Wed, Nov 06, 2019 at 12:20:21AM +0100, Ronald Wimmer via FreeIPA-users wrote: Today I was not able to log in with an AD user to an IPA client within a test setup. IPA users worked fine. DNS is managed externally. I figured out

[Freeipa-users] IPA-automounted user home and git

Today I've encountered a strange problem on a Centos 7.7 machine with IPA automounted user homes. When I try to do a git clone in my home directory using SSH I it aborts abnormally with the following error message: remote: Enumerating objects: 4045, done. remote: Counting objects: 100%

[Freeipa-users] Re: Could not login with AD user

It seems that this was a coincidence... sometimes AD users are found but most of the time they are not: [root@ipaclient sssd]# id us...@bau.mydomain.at id: us...@bau.mydomain.at: No such user [root@ipaclient sssd]# id us...@bau.mydomain.at id: us...@bau.mydomain.at: No such user Where do I

[Freeipa-users] Re: Could not login with AD user

On 08.11.19 11:08, Alexander Bokovoy via FreeIPA-users wrote: [...] Are these assumptions true: - ipaA became a trust controller by issuing the "ipa trust-add" command - ipaB will have to be configured as trust agent Correct. By running ipa-adtrust-install --add-agents on ipaA, you can add

[Freeipa-users] Re: Could not login with AD user

On 08.11.19 10:15, Sumit Bose via FreeIPA-users wrote: On Fri, Nov 08, 2019 at 10:04:41AM +0100, Ronald Wimmer via FreeIPA-users wrote: It seems that this was a coincidence... sometimes AD users are found but most of the time they are not: [root@ipaclient sssd]# id us...@bau.mydomain.at id

[Freeipa-users] Re: Could not login with AD user

I think I know where to take a closer look. I have 2 IPA servers, let's call them ipaA and ipaB. On ipaA everything works without any problems. On ipaB I cannot resolve AD users. The "ipa trust-add" command has only been issued on ipaA. Some time ago I read about trust controllers and trust

[Freeipa-users] Re: In-place upgrade from RHEL 7 to RHEL 8

On 04.12.19 20:32, Rob Crittenden via FreeIPA-users wrote: [...] In my opinion as a general rule it is far safer to create a new master than in-place upgrade. Thank you very much for your quick reply! Cheers, Ronald ___ FreeIPA-users mailing list --

[Freeipa-users] Re: In-place upgrade from RHEL 7 to RHEL 8

Could a RedHat guy give a short answer to my last question, please? Cheers, Ronald ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct:

[Freeipa-users] Re: Allow AD users to manage FreeIPA

Will this feature also allow using ipa vault for AD users? ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct:

[Freeipa-users] Multiple HBAC rules in one Apache config

Hi, is there a way to use multiple HBAC rules in the same "Require pam-account" line in on and the same Apache config? Something like Require pam-account hbacA|hbacB Cheers, Ronald ___ FreeIPA-users mailing list --

[Freeipa-users] autofs.service does not start

After a reboot of a RHEL 7.7 machine autofs.service did not start: ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct:

[Freeipa-users] Re: autofs.service does not start

Sorry... Accidently hit "send message" somehow. Here is the full story: When that server is booted autofs.service does not run. (inactive: dead) Trying to start it with systemctl results in that command hanging. After restarting rpcidmapd, rpcgssd and sssd I tried again without success. A

[Freeipa-users] In-place upgrade from RHEL 7 to RHEL 8

According to a RedHat document (https://access.redhat.com/articles/4263361 ) an in-place upgrade is only possible from RHEL 7.6 to RHEL 8.1. Unfortunately, I've kept my IPA servers up-to-date so that their version is now 7.7.1908. The document also states that there will be a possibility to

[Freeipa-users] /var/log/pki/pki-tomcat/ca/debug

I cannot remember to have set anything to "debug" regarding CA. Nevertheless, these files are growing continuously: -rw-r-. 1 pkiuser pkiuser 1.6G Dec 10 09:15 /var/log/pki/pki-tomcat/ca/debug -rw-r-. 1 pkiuser pkiuser 303M Dec 10 09:16 /var/log/pki/pki-tomcat/ca/debug -rw-r-. 1

[Freeipa-users] Re: Domain controllers switch to LDAPS

On 25.02.20 16:47, Alexander Bokovoy via FreeIPA-users wrote: [...] Details are in https://access.redhat.com/articles/4661861 (accessible with a subscription but even free Developer's subscription is fine). "Red Hat is working on an SSSD/adcli (RHEL8,RHEL7) enhancement that allows the use of

[Freeipa-users] Re: IPA client's sssd.conf

I would like to set values for On 28.02.20 08:53, Alexander Bokovoy wrote: On pe, 28 helmi 2020, Ronald Wimmer via FreeIPA-users wrote: Is there a way to set some default keys and values that end up in an IPA client's sssd.conf upon ipa-client-install? I don't think of any that are applied

[Freeipa-users] IPA client's sssd.conf

Is there a way to set some default keys and values that end up in an IPA client's sssd.conf upon ipa-client-install? Cheers, Ronald ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to

[Freeipa-users] Re: Caching

On 25.02.20 11:27, Sumit Bose via FreeIPA-users wrote: 'cache_credentials' only control is the credentials given by the user, typically this is a password, is stored in the cache in a hashed version. In regard to caching, what happens when an AD user gets locked or changes its password? When

[Freeipa-users] Re: IPA client's sssd.conf

On 28.02.20 10:04, Sumit Bose via FreeIPA-users wrote: would it help to create a file in/etc/sssd/conf.d/ with the config settings you would like to add before calling ipa-client-install? See section 'CONFIGURATION SNIPPETS FROM INCLUDE DIRECTORY' in the sssd.conf man page for more details.

[Freeipa-users] Caching

If SSSD has cache_credentials set to True it will take some time until changes become visible on an IPA client. When I change sudo permissions for a certain user I usually want to changes to be effective immediately. Does this imply setting cache_credentials to False or what are best practices

[Freeipa-users] Re: Caching

I was not aware of that. If I change sudo rules for a certain user do I have any control on how long the changes take to be effective? Is invalidating the cache on a client the only option I have? Cheers, Ronald ___ FreeIPA-users mailing list --

[Freeipa-users] Domain controllers switch to LDAPS

Hi, will Microsofts decision to let domain controllers talk LDAPS only in the near future affect IPA sowehow? Cheers, Ronald ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to

  1   2   3   4   5   >