Hey,
Is that the sssd configuration on the server or the client? There's no
sss_cache executable on the client; is that correct?
I noticed that when I remove a user from the sudo role, the clients
notice it almost immediately, but when I readd the sudo role, it doesn't
come back. I usually
Actually I just saw Jakub's response, and that helped me out. I just
added this to the sssd.conf on the client, and it seems to work:
[domain/ipa.services.FOO]
ldap_sudo_smart_refresh_interval = 60
ldap_sudo_full_refresh_interval = 21600
Thanks, all!
On 2017-04-06 11:47,
Hello,
Can anybody explain briefly what ipa-getkeytab runs under the hood in order
to use similar logic for unix clients (will help in automating the
registration to IPA server) ?
Thank You !
--
Manage your subscription for the Freeipa-users mailing list:
hi all,
(this is IPA 4.4.0-14.el7.centos.4)
i'm a bit puzzled by the following: i want to retrieve a user keytab
using ipa-getkeytab -r (since the keytab for the same user was already
retrieved on another host).
when doing so, i get
Failed to parse result: Insufficient access rights
however,
On to, 06 huhti 2017, Mikael wrote:
Hello!
I try to create sids for all my users when running ipa-adtrust-install
but there are no signs of the sids in ldap and I get the following
error in the error log for the directory server.
[06/Apr/2017:17:18:02.336841997 +0200] sidgen_task_thread -
Hello!
I try to create sids for all my users when running ipa-adtrust-install
but there are no signs of the sids in ldap and I get the following error
in the error log for the directory server.
[06/Apr/2017:17:18:02.336841997 +0200] sidgen_task_thread - [file
ipa_sidgen_task.c, line 194]:
Iulian Roman wrote:
> Hello,
>
> Can anybody explain briefly what ipa-getkeytab runs under the hood in
> order to use similar logic for unix clients (will help in automating
> the registration to IPA server) ?
>
> Thank You !
Honestly your best bet would be to pull the freeipa source and
I see similar things in our environment where IPA is used as "glue"
between AD Forests that have a 1-way trust relationship. We believe that
the root cause has something to do with the 30+ domain controllers the
IPA client tries to make contact with (in seemingly random order) across
the AD
Hi,
My IPA<->AD trust setup experiences intermittent failures during login
events. The AD subdomain goes in an inactive/offline state and users
logging in are put into a 'delayed authentication' queue. Usually
logging in after a minute or so succeeds as the subdomain is reset and
the user is
I have created a two way trust between my IDM server and Active
Directory.I have been able to successful get RHEL 7.3 IDM server and
RHEL 7.3 IDM clients to allow Active Directory login using CAC smart
cards into Gnome. I'm using SSSD for the smart card login process
instead of
On Thu, Apr 06, 2017 at 07:21:01PM +0200, m...@chinewalking.com wrote:
> Hi,
>
> My IPA<->AD trust setup experiences intermittent failures during login
> events. The AD subdomain goes in an inactive/offline state and users logging
> in are put into a 'delayed authentication' queue. Usually
On Thu, Apr 06, 2017 at 01:55:02PM +0200, Ronald Wimmer wrote:
> On 2017-04-06 12:16, Sumit Bose wrote:
> > On Thu, Apr 06, 2017 at 12:58:32PM +0200, Ronald Wimmer wrote:
> > [...]
> > > AD trust:
> > > mydomain.at (forest root)
> > > xyz (subdomain -> where myuser resides)
> > >
> > > BCC
hi rob,
>> i'm a bit puzzled by the following: i want to retrieve a user keytab
>> using ipa-getkeytab -r (since the keytab for the same user was already
>> retrieved on another host).
>>
>> when doing so, i get
>>
>> Failed to parse result: Insufficient access rights
>>
>> however, i can get the
Stijn De Weirdt wrote:
> hi all,
>
> (this is IPA 4.4.0-14.el7.centos.4)
>
> i'm a bit puzzled by the following: i want to retrieve a user keytab
> using ipa-getkeytab -r (since the keytab for the same user was already
> retrieved on another host).
>
> when doing so, i get
>
> Failed to parse
On 2017-04-06 20:18, Jakub Hrozek wrote:
On Thu, Apr 06, 2017 at 07:21:01PM +0200, m...@chinewalking.com wrote:
Hi,
My IPA<->AD trust setup experiences intermittent failures during login
events. The AD subdomain goes in an inactive/offline state and users
logging
in are put into a 'delayed
Stijn De Weirdt wrote:
> hi rob,
>
>>> i'm a bit puzzled by the following: i want to retrieve a user keytab
>>> using ipa-getkeytab -r (since the keytab for the same user was already
>>> retrieved on another host).
>>>
>>> when doing so, i get
>>>
>>> Failed to parse result: Insufficient access
Zitat von Sumit Bose :
On Thu, Apr 06, 2017 at 01:55:02PM +0200, Ronald Wimmer wrote:
On 2017-04-06 12:16, Sumit Bose wrote:
> On Thu, Apr 06, 2017 at 12:58:32PM +0200, Ronald Wimmer wrote:
> [...]
> > AD trust:
> > mydomain.at (forest root)
> > xyz (subdomain -> where myuser
Thank you for hint, Martin!
Looks like upgrade went smooth just with yum upgrade.
Following multi step upgrade in previous versions I was hesitant this time.
Andrey
From: Martin Bašti >
Date: Wednesday, April 5, 2017 at 4:11 AM
To: Lachlan Musicman
On 2017-04-04 11:19, Jakub Hrozek wrote:
On Tue, Apr 04, 2017 at 09:51:04AM +0200, Ronald Wimmer wrote:
Hi,
my IPA master has an AD trust (several thousand users). Since the trust has
been set up I am experiencing that I cannot login on the web interface. Even
connecting via SSH does not work
On ke, 05 huhti 2017, William Muriithi wrote:
Good evening,
I am looking through the IPA documentation and it looks like I will
need a password that don't expire on the active directory side.
No.
These are the two documented ways.
ipa trust-add --type=ad ad.example.com --admin
On Thu, Apr 06, 2017 at 09:11:32AM +0200, Martin Bašti wrote:
>
>
> On 06.04.2017 01:57, Greg Gilbert wrote:
> > Hey. I'm a bit new to FreeIPA, so apologies if this has already been
> > addressed. For reference, I'm running FreeIPA 4.4 server on CentOS 7,
> > and FreeIPA client 4.3.1 on Ubuntu
On Thu, Apr 06, 2017 at 12:10:29PM +0200, Ronald Wimmer wrote:
> Hi,
>
> when I try to login to an IPA client with my AD user it works perfectly when
> I already have a kerberos ticket for my user. When I do not and I try a
> password-based login it fails:
Please send the sssd_domain.log and
On 2017-04-06 11:21, Sumit Bose wrote:
On Thu, Apr 06, 2017 at 12:10:29PM +0200, Ronald Wimmer wrote:
Hi,
when I try to login to an IPA client with my AD user it works perfectly when
I already have a kerberos ticket for my user. When I do not and I try a
password-based login it fails:
Please
Hi,
when I try to login to an IPA client with my AD user it works perfectly
when I already have a kerberos ticket for my user. When I do not and I
try a password-based login it fails:
Password-based:
(Thu Apr 6 10:39:12 2017) [sssd[pam]] [pam_check_user_search] (0x0400):
Returning info for
On 2017-04-06 12:58, Ronald Wimmer wrote:
[...]
BCC (appearing in krb5_child.log) is not a domain here. It is my
company's name and might derive from some information in the AD.
After doing an LDAP search on the domain controller of my AD domain
(xyz.mydomain.at) I found out that my
On Thu, Apr 06, 2017 at 12:58:32PM +0200, Ronald Wimmer wrote:
> On 2017-04-06 11:21, Sumit Bose wrote:
> > On Thu, Apr 06, 2017 at 12:10:29PM +0200, Ronald Wimmer wrote:
> > > Hi,
> > >
> > > when I try to login to an IPA client with my AD user it works perfectly
> > > when
> > > I already have
On 2017-04-06 12:16, Sumit Bose wrote:
On Thu, Apr 06, 2017 at 12:58:32PM +0200, Ronald Wimmer wrote:
[...]
AD trust:
mydomain.at (forest root)
xyz (subdomain -> where myuser resides)
BCC (appearing in krb5_child.log) is not a domain here. It is my company's
name and might derive from some
On 06.04.2017 01:57, Greg Gilbert wrote:
Hey. I'm a bit new to FreeIPA, so apologies if this has already been
addressed. For reference, I'm running FreeIPA 4.4 server on CentOS 7,
and FreeIPA client 4.3.1 on Ubuntu nodes.
I've noticed that when I make changes to policies, it either takes a
On Wed, Apr 05, 2017 at 10:38:48PM -0700, Wim Lewis wrote:
> With a bit of tweaking, I was able to generate a usable
> certificate by creating a second host entry,
> 'wildcard.blah.example.com', managed by blah.example.com, and then
> editing the leftmost label from 'wildcard' to '*' in all of the
29 matches
Mail list logo