Hi,
I have a question regarding establishing one-way trust between FreeIPA
and Active Directory. In the documentation it is stated that to use a
cross-forest trust it is required for FreeIPA to have a different domain
than that of Active Directory. Does it also apply to the synchronization
sc
Hi all,
I have set up trust between FreeIPA and AD. Users from AD domain can
successfully log into the linux boxes when I have allow_all rule enabled.
However, when I try to achieve something more fancy, like assigning set of
users to a custom group (firstly external, then the posix one) or mak
Hi Lachlan,
I am using these versions:
ipa-client.x86_64 4.4.0-14.el7.centos.7 installed
sssd.x86_64 1.14.0-43.el7_3.18 installed
Bart
___
FreeIPA-users mailing list -- freeipa-user
Just to add some example of behaviour I described, I configured an AD user
group membership and granted him access via HBAC rule. Waited approximately for
2 hours and then, all of a sudden, it magically works without me changing
anything :). Below is the log excerpt from /var/log/secure which ca
Thank you a lot for clarification.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> On Thu, Jul 06, 2017 at 02:29:34PM -0000, bogusmaster--- via FreeIPA-users
> wrote:
>
>
> The ipa-client gets all its data from the IPA server and for efficiency
> the lookup on the server goes via the SSSD cache on the server.
>
> While on the client during authent
Thank you for sharing this hint, I am going to try the upgrade. Can I ask you
which version of IPA did you use with that sssd version? Did you upgrade sssd
on each type of server (I mean both client and server)?
Many thanks,
Bart
___
FreeIPA-users mail
What was the IPA version you used? It might be not related, but when i upgraded
sssd to 1.15.2-5 ssh doesn't work for me neither on the FreeIPA server, nor on
the clients. What's more strange, getent passwd for AD users doesn't work for
the clients, although it works for the server.
> On Thu, Jul 06, 2017 at 02:29:34PM -0000, bogusmaster--- via FreeIPA-users
> wrote:
>
>
> The ipa-client gets all its data from the IPA server and for efficiency
> the lookup on the server goes via the SSSD cache on the server.
>
> While on the client during authent
Thank you for the answer.
I've verified the status of domain on both server and client.
On a server it appears that IPA domain (ipa.sub.mydomain.com) is always online.
However, status of AD domain (sub.mydomain.com) seems to be fluctuating between
Online and Offline and sometimes sssctl returns
This is the exact configuration that I am currently using (sssd 1.15 from COPR
repo and freeIPA 4.4) and I'm still having issues with group membership.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
I've uploaded them here: goo.gl/hiFHKE
Thank you,
Bart
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Can you do a test on the server by calling
>
> id username(a)ad.domain
>
> and collect sssd_nss.log and sssd_your.ipa.domain.log on the server as
> well?
I uploaded these files to the same place as before - goo.gl/hiFHKE. They have
SERVER prefix in their names.
> In the id output all grou
I also observed one peculiar thing when it comes to group membership of the
group which is used in my HBAC rule.
When I issue getent group ad_users on the server, I get:
ad_users:*:101025:j...@td.mydomain.com
In the FreeIPA's web UI membership looks like follows:
External member
S-1
> On Fri, Jul 14, 2017 at 10:00:20AM -0000, bogusmaster--- via FreeIPA-users
> wrote:
>
> yes, but I think this is only a side effect. SSSD cannot resolve a
> global catalog server. Does
>
> dig SRV _gc._tcp.td.mydomain.com
>
> return anything when called on
Hi All,
I am setting up a one-way trust from FreeIPA server to AD domain with a
pre-shared key.
It seems that it was set up successfully but I cannot verify the Kerberos
configuration when I follow the steps described here:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux
Hi All,
I am setting up a one-way trust from FreeIPA server to AD domain with a
pre-shared key.
It seems that it was set up successfully but I cannot verify the Kerberos
configuration when I follow the steps described here:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux
Behavior that I described above pertains to Windows 2008 R2. When I attempt at
doing exactly the same with AD set up on top of Windows 2012, it works
flawlessly. Unfortunately, environment I have to set up trust with uses Windows
2008 R2. I am wondering what might be the difference between these
18 matches
Mail list logo