On 11/11/2009 11:53 PM, Stephen P. Sandifer wrote:
> Has anyone successfully built the alpha package from source?
>
> I thought I'd solved all the dependencies but it does not seem to build
> successfully. For those who did, would you mind letting me know what
> your Linux distribution is?
>
> Th
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 03/17/2010 11:22 AM, Gerrard Geldenhuis wrote:
> Hi
> I was wondering if anyone has had any luck in getting FreeIPA compiled and
> installed on Centos. I am struggling a bit at the moment. I have downloaded a
> fedora source package which I have t
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 06/08/2010 07:13 AM, Konstantin Kozlov wrote:
> I've installed everything from official repos. SSSD caused problems
> because ipa-client-install made a 'default' domain in sssd.conf and
> sssd was looking for SRV records in DNS for LDAP and KDC with
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 07/14/2010 05:45 PM, Dan Scott wrote:
> [domain/default]
> ldap_id_use_start_tls = False
> cache_credentials = False
> auth_provider = krb5
> debug_level = 0
> krb5_kpasswd = ldap.example.com:749
> ldap_schema = rfc2307bis
> krb5_realm = EXAMPLE.COM
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 07/14/2010 07:43 PM, Dmitri Pal wrote:
>> UPDATE: Have just received Jakub Hrozek email (Thanks Jakub). Adding
>> > fileserver1, fileserver2 appears to have fixed the problem. However,
>> > this means that I have to edit thi
On Fri, Jan 14, 2011 at 03:08:44PM +0530, Aravind GV wrote:
> Hi
>
> I’m trying to set up password/identity sync to the FreeIPA V2 server from a
> Windows 2003R2 SP2 server to a Fedora 14. According to installation document
> in free ipa website [
> http://freeipa.org/docs/2.0.0/Installation_Deplo
On 01/24/2011 08:57 PM, Jeff B wrote:
I might of missed this yesterday, is it trying to bind to the apple
as Directory Manager? I thought that was for FreeIPA but now I'm not
sure. I was intending to have it do an anonymous bind to the apple.
If so I guess that would explain it.
Yes, "cn=D
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 02/18/2011 01:04 AM, Steven Jones wrote:
> Trying to install but there appears to be a dependency failure
>
> ipa server requires 389-ds-base > 1.2.8 but 389-ds-base = 1.2.6
>
> regards
>
>
389-ds-base 1.2.8 is in the updates-testing re
On 03/04/2011 02:35 AM, Steven Jones wrote:
Hi,
Thanks, I think there maybe a dependency missing for the yum install of
the clientwhen I go to the system-auth, ipa is there as an option
but its missing a .so in nss-pam-ldapd and asks for it to be installed,
the dependency off that is nscd an
On 04/30/2011 08:41 AM, nasir nasir wrote:
-- About 50 Linux clients running *Kubuntu (can change this to
ubuntu if necessary)*
Just a warning that *Ubuntu - according to
http://packages.ubuntu.com/sssd - still defaults to sssd 1.2.1, even in
their "natty" release.
There was a number of
On 05/13/2011 06:00 AM, Steven Jones wrote:
> [root@vuwunicoipamt01 etc]# ipa-getkeytab -k /tmp/vuwnicologint2.keytab -p
> host/vuwunicologint2.unix.vuw.ac.nz -s vuwunicoipamt01.unix.vuw.ac.nz -p admin
The second -p overrides the first.
signature.asc
Description: OpenPGP digital signature
On 05/15/2011 06:49 AM, nasir nasir wrote:
> Thanks again!
>
> NO, it was not set. I added it manually now (*automount: ldap *) and
> now a different error pops up in /var/log/messages while restarting
> autofs service,
>
> *May 15 06:32:04 hugayat automount[16256]: open_lookup:90: cannot open
>
On 05/16/2011 02:08 PM, nasir nasir wrote:
> May 16 14:14:13 rhel automount[1787]: >> mount.nfs4: mounting
> hugayat.cohort.org:/xtra/home/test1 failed, reason given by server:
> May 16 14:14:13 rhel automount[1787]: >> No such file or directory
> May 16 14:14:13 rhel automount[1787]: mount(nfs):
On Wed, Mar 18, 2015 at 08:26:03AM +0200, Alexander Bokovoy wrote:
> On Tue, 17 Mar 2015, Gould, Joshua wrote:
> >I figured out that the ldap_idmap_range_min and ldap_idmap_range_size need
> >to match whats in ipa idrange-find --all for the AD domain.
> >
> ># ipa idrange-mod --base-id=10 --ran
On Wed, Mar 18, 2015 at 04:15:28PM +0530, Sanju A wrote:
> Hi All,
>
> I have configured IPA and later configured master-master replication. But
> it failed to fall over to the replica when master down. Please help
> Here are the details.
What it "it" ? A client machine running on a client diff
On Wed, Mar 18, 2015 at 06:44:04PM +0530, Sanju A wrote:
> Dear Jakub,
>
>
> I have joined the client machine using the following command (including
> the replica server details) and it is working.
>
> ipa-client-install --mkhomedir --domain=example.com
> --server=ipa.example.com --server=i
On Thu, Mar 19, 2015 at 08:42:42AM +0100, Andrew Holway wrote:
> Cool stuff. Thanks.
>
> I had a look at our SRV records and found the following:
> _kerberos-master._tcp
> _kerberos-master._udp
> _kerberos._tcp
> _kerberos._udp
> _kpasswd._tcp
> _kpasswd._udp
> _ldap._tcp
> _ntp._udp
>
> No menti
On Thu, Mar 19, 2015 at 11:05:45AM -0400, Gould, Joshua wrote:
> I¹m seeing ssh logins for AD users take MUCH longer when using SID mapping
> vs. POSIX attributes. Both myself and our AD admin would prefer to use SID
> mapping. It appears tied to the group lookup at login. There seem to be
> many p
6_64
> sssd-common-1.12.2-58.el7.x86_64
> sssd-ad-1.12.2-58.el7.x86_64
> sssd-krb5-1.12.2-58.el7.x86_64
> sssd-ldap-1.12.2-58.el7.x86_64
> sssd-client-1.12.2-58.el7.x86_64
> sssd-common-pac-1.12.2-58.el7.x86_64
> sssd-proxy-1.12.2-58.el7.x86_64
>
>
>
> On 3/19/15,
On Thu, Mar 19, 2015 at 04:46:44PM +0100, Bobby Prins wrote:
> Hi there,
>
> I'm currently trying to use the 'AD Trust for Legacy Clients' freeIPA setup
> (described here:
> http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf) to be able
> to autenticate AIX 7.1 clients against an A
On Thu, Mar 19, 2015 at 03:51:48PM +0100, Andrew Holway wrote:
> I am having problems with sudo and using _srv_ in the sssd config.
>
> This works:
>
> # For the SUDO integration
>
> sudo_provider = ldap
>
> ldap_uri = ldap://test-freeipa-1.cloud.domain.de
>
> ldap_sudo_search_base = ou=sudoer
On Thu, Mar 19, 2015 at 05:38:49PM +0100, Andrew Holway wrote:
> Hi Jakub,
>
> Name: ipa-client
> Arch: x86_64
> Version : 3.3.3
> Release : 28.0.1.el7.centos.3
I wasn't precise enough, I meant the sssd version, sorry. But given that
you're on RHEL-7, I think you can switc
ac-1.12.2-58.el7.x86_64
> sssd-proxy-1.12.2-58.el7.x86_64
>
>
>
> On 3/19/15, 11:23 AM, "Jakub Hrozek" wrote:
>
>> On Thu, Mar 19, 2015 at 11:05:45AM -0400, Gould, Joshua wrote:
>>> I¹m seeing ssh logins for AD users take MUCH longer when using SID
>>&g
> On 19 Mar 2015, at 20:09, Prasun Gera wrote:
>
> I thought a bit more about the issue of conflicts in /var/lib/sss/db, and I
> think it's a pretty significant problem, probably from a security standpoint
> too. The fact that it's trying to authenticate against something stale and
> incorrec
> On 19 Mar 2015, at 21:18, Roberto Cornacchia
> wrote:
>
> It's possible that I'm simply not getting the point, or that I don't
> understand the documentation correctly, but this is what I don't find clear:
>
> I had seen the instructions you pointed me at. These are not specifically
> abou
On Thu, Mar 19, 2015 at 10:32:08PM +0100, Andrew Holway wrote:
> >
> >
> > I wasn't precise enough, I meant the sssd version, sorry. But given that
> > you're on RHEL-7, I think you can switch to:
> > sudo_provider=ipa
> >
>
> That does indeed seem to work. Thanks!
You're welcome, btw if you
On Thu, Mar 19, 2015 at 05:29:39PM -0400, Gould, Joshua wrote:
> Thank you!
You're welcome, please try these builds:
https://jhrozek.fedorapeople.org/sssd-test-builds/sssd-7.1-gr-request/
But please note that when POSIX attributes are requested, the lookups
will /always/ be slower. With ID mappin
On Thu, Mar 19, 2015 at 05:50:50PM -0400, Prasun Gera wrote:
> It's just that /var/lib/sss/db is not cleared between subsequent server
> installs and uninstall, and that seems to be creating problems on the
> server since the server is also a client. If you do
> install-uninstall-install on the ser
On Fri, Mar 20, 2015 at 09:20:15AM +0100, Andrew Holway wrote:
> Actually, I stumbled across this which explains everything you need to do
> to get sudo working on Centos6 clients.
> https://www.redhat.com/archives/freeipa-users/2013-June/msg00064.html
>
> I have had to kind of scratch together bi
On Fri, Mar 20, 2015 at 11:06:04AM +0100, Jan Pazdziora wrote:
> On Wed, Mar 18, 2015 at 01:11:44PM -0400, Rob Crittenden wrote:
> > On Wed, Mar 18, 2015 at 17:40:19 +0100, Andrew Holway wrote:
> > >
> > > Im wondering how we should be handing SSSD for redundant configurations
> > > on our freeipa
On Fri, Mar 20, 2015 at 01:02:58PM +0100, Jan Pazdziora wrote:
> On Fri, Mar 20, 2015 at 11:51:14AM +0100, Jakub Hrozek wrote:
> >
> > Or even better, set the weight and priority fields on the server and
> > keep using SRV resolution :-)
>
> How do you specify differe
> authentication success; logname= uid=0 euid=0 tty=ssh ruser=
> rhost=10.234.49.39 user=gould
> Mar 20 09:38:48 mid-ipa-vp01 sshd[3081]: Accepted password for gould from
> 10.134.249.39 port 60170 ssh2
> Mar 20 09:38:48 mid-ipa-vp01 sshd[3081]: pam_unix(sshd:session): session
> open
On Fri, Mar 20, 2015 at 04:05:56PM +0100, Andrew Holway wrote:
> Hi,
>
> I am having one of those really annoying pesky troubles.
>
> I add clients to freeipa but the first time I am logging in and trying to
> sudo with my freeipa credentials the sudo is not working. If I restart the
> SSSD proce
On Fri, Mar 20, 2015 at 08:32:14PM -0400, Dmitri Pal wrote:
> On 03/20/2015 08:18 PM, nat...@nathanpeters.com wrote:
> >>>Actually this was the problem :
> >>>
> >>>I had added the following line to the [sssd] section of sssd.conf :
> >>>[sssd]
> >>>default_domain_suffix = addomain.net
> >>>
> >>>T
On Sun, Mar 22, 2015 at 04:44:42PM +, McEvoy, James wrote:
>
> From: freeipa-users-boun...@redhat.com [freeipa-users-boun...@redhat.com] on
> behalf of Dmitri Pal [d...@redhat.com]
> Sent: Saturday, March 21, 2015 10:42 AM
> To: freeipa-users@redhat.com
> Subject: Re: [Freeipa-users] Password
On Sun, Mar 22, 2015 at 04:24:49PM +0100, Roberto Cornacchia wrote:
> Thanks Rob.
>
> Knowing that /etc/nsswitch.conf is created wrongly is a step forward,
> although we don't know why that happens yet.
> I'm not very keen on fixing it post-installation (except if this is just to
> learn more abou
On Mon, Mar 23, 2015 at 12:05:05PM +0530, Yogesh Sharma wrote:
> Hello Team,
>
> We are doing POC to use IPA server in our Env. When we try to add
> individual host and user in Sudo Rule it work fine whereas we need use
> HostGroup and Usergroup it is not working.
>
> We have been restricted to u
On Mon, Mar 23, 2015 at 12:29:03PM +0530, Yogesh Sharma wrote:
> Thanks Jakub for the reply. Please find the details:
Please keep the replies on the list, if possible. Other users might run
into the same problem and then the archives become really useful.
>
> It shows nisdomain but not netgroup:
On Mon, Mar 23, 2015 at 02:23:52PM +0530, Yogesh Sharma wrote:
> Sure Jakub. ++FreeIPA-Users
>
> "getent netgroup" not working on IPA Server
>
> [root@mipa ~]# getent netgroup stg.initd.com
> [root@mipa ~]#
>
>
>
> [root@mipa ~]# ipa hostgroup-show cipa-servers
> Host-group: cipa-servers
>
On Mon, Mar 23, 2015 at 04:18:56PM +0530, Yogesh Sharma wrote:
> Seeing a strange behavior.
>
> I deleted all Host Members from NetGroup and it was reflected in Client:
>
> [root@cipa ~]# getent netgroup stg.initd.com
> stg.initd.com
>
> then I added one hostgroup *"cipa" * and it was successful
On Mon, Mar 23, 2015 at 04:27:14PM +0530, Yogesh Sharma wrote:
> I just deleted the netgroup, even though getent is resolving.
>
> [root@mipa ~]# getent netgroup stg.initd.com
> stg.initd.com (cipa.stg.initd.com,-,stg.initd.com)
> [root@mipa ~]# ipa netgroup-show stg.initd.com
> ipa: ERROR: s
On Mon, Mar 23, 2015 at 06:26:21PM +0530, Yogesh Sharma wrote:
> Thanks Jakub.
>
> All the issue seems to be resolved now except that getent is not able to
> resolve on IPA Server however working fine on other.
>
> Below are the logs where it says it is not able to connect DataProvided.
>
[ ...
On Mon, Mar 23, 2015 at 08:23:00PM -0400, Dmitri Pal wrote:
> On 03/23/2015 05:13 PM, Matt Wells wrote:
> >We have two authentication domains; both on 4.X.
> >
> >Domain 1 - Internal and contains our employee accounts
> >Domain 2 - External accounts that reside outside of our company.
> >These acco
On Tue, Mar 24, 2015 at 04:45:53PM +0100, Bobby Prins wrote:
> >- Oorspronkelijk bericht -
> >Van: "Alexander Bokovoy"
> >Aan: "Bobby Prins"
> >Cc: d...@redhat.com, freeipa-users@redhat.com
> >Verzonden: Dinsdag 24 maart 2015 15:13:38
> >Onderwerp: Re: [Freeipa-users] 'Preauthentication f
On Tue, Mar 24, 2015 at 08:10:43PM +0100, Bobby Prins wrote:
> > I guess what Alexander meant (in a very simplified way) was that the 'id'
> > command could take a long time. Sumit recently fixed two nasty issues that
> > would make this operation take too long with POSIX attributes in effect
> > a
If you have SSSD 1.9.6 or newer all the sudo configuration boils down to
including 'sss' for 'sudoers' in nsswitch.conf and sudo_provider=ipa in
sssd.conf.
You also need a reasonably recent sudo itself. Posting versions of SSSD and
sudo would help.
- Original Message -
From: "Gonzalo F
On Thu, Mar 26, 2015 at 07:47:34PM +0530, Yogesh Sharma wrote:
> Once I manually initialize the user Ticket on IPA Server using kinit
> username, I am able to login with and without FQDN.
It's expected that IPA users are created with expired password. But SSSD
should have prompted you for a passwo
On Thu, Mar 26, 2015 at 08:05:03PM +0530, Yogesh Sharma wrote:
> Hi Jakub,
>
> SSSD prompted to change the password. After changing the password, when we
> try to ssh again using the new password, it failed.
And what do the logs say then, with the new password?
--
Manage your subscription for t
On Fri, Mar 27, 2015 at 10:28:13AM +0530, Yogesh Sharma wrote:
> Hi Jakub,
>
> Please find the logs for the user "test" created in IPA.
>
> (Fri Mar 27 10:19:52 2015) [sssd[nss]] [nss_cmd_getbynam] (0x0100):
> Requesting info for [test] from []
> (Fri Mar 27 10:19:52 2015) [sssd[nss]] [nss_cmd_ge
On Fri, Mar 27, 2015 at 12:34:57PM +0530, Yogesh Sharma wrote:
> No. This is the second attempt after changing the password on first login.
>
> If you want I can re-send you the logs but this is the second login logs of
> this user.
Then it would be most interesting to see the logs of the passwor
On Fri, Mar 27, 2015 at 05:00:43PM +, Srdjan Dutina wrote:
> Hi,
>
> I created the following test environment:
>
> 1. IPA server: v4.1.3 on Centos 7
> 2. Two-way trust with Active directory domain - Windows server 2012 R2
> 3. Connected multiple IPA clients:
> - Fedora 21 - v4.1.3
> - Centos
On Mon, Mar 30, 2015 at 05:36:00AM +0100, g.fer.or...@unicyber.co.uk wrote:
>
> Hey Guys
>
> Not sure if I am missing any bit but this was the thing in the end:
>
>
> http://generations.menteyarte.org/archives/195-freeipa-server-and-SSSD-on-Ubuntu.html
>
> I managed to have it working and
On Mon, Mar 30, 2015 at 08:09:43AM +, Alexander Frolushkin wrote:
> Hello everyone.
> We have a IPA 3 and AD domain trust.
> Users from AD successfully logs on to linux servers via ssh and hbac rules
> works fine with external groups. But not a sudo rules.
> When rule defines as 'who' IPA user
On Mon, Mar 30, 2015 at 02:18:00PM +0530, Yogesh Sharma wrote:
> Hi List,
>
> We have trying to install IPA-Client using source code.
Why?
> While installing we
> are seeing many error out of which most are resolved but stuck at below
> while doing make.
>
> Is there any suggestion to get out o
On Mon, Mar 30, 2015 at 02:53:39PM +0530, Yogesh Sharma wrote:
> Hi Jakub:
>
> FreeIPA package is not available in Amazon Linux running on EC2 Instance.
> We tried to install individually packages but it is breaking at many place.
>
> It is not 1.x. We had a directory with this name and I extract
On Mon, Mar 30, 2015 at 08:09:43AM +, Alexander Frolushkin wrote:
> Hello everyone.
> We have a IPA 3 and AD domain trust.
> Users from AD successfully logs on to linux servers via ssh and hbac rules
> works fine with external groups. But not a sudo rules.
> When rule defines as 'who' IPA user
On Thu, Apr 02, 2015 at 02:43:59PM +, Guertin, David S. wrote:
> >Ah so you are using it with trust. Then you should change the configuration
> >to
> >not use kerberos but rather LDAP instead.
> >More details are here.
> >http://www.freeipa.org/images/0/0d/FreeIPA33-legacy-clients.pdf
>
> Tha
On Mon, Apr 06, 2015 at 08:01:46PM -0500, Dan Mossor wrote:
> On 04/05/2015 12:51 PM, Dmitri Pal wrote:
> >On 04/05/2015 12:10 AM, Dan Mossor wrote:
> >>I've recently deployed a new domain based on 4.1.2 in F21. We've
> >>noticed an issue and can't quite seem to nail it down. The problem is
> >>tha
On Tue, Apr 07, 2015 at 11:12:40AM +0200, Martin (Lists) wrote:
> Am 05.04.2015 um 11:51 schrieb Martin (Lists):
> >
> > Hallo
> >
> > I have a similar issue. On login (graphic systems and ssh) and on the
> > screen saver I have a delay from about 2 secons to 10 seconds.
> >
> > According to my
On Tue, Apr 07, 2015 at 11:58:35AM +0200, Chamambo Martin wrote:
> I have deployed FreeIPA on RedHat 7 and everything is working perfectly fine
> except when I try to configure SUDO. All my clients are all centos 6 and
> RedHat 6 clients and have the below config . I have followed every how-to
> an
On Tue, Apr 07, 2015 at 12:48:37PM +0200, Chamambo Martin wrote:
> Sorry for the confusion about that one ,that client I used to aunthenticate
> to a pure 389 directory server and I have since changed it to free ipa and
> below is the correct configuration.
>
> I managed to add the line sudo_provi
On Tue, Apr 07, 2015 at 01:55:43PM +0200, Chamambo Martin wrote:
> Thanx Jakub for pointing me to the right direction .This is what I have now
> and I have increased the debug level during troubleshooting
>
> [domain/ai.co.zw]
>
> debug_level=3
> cache_credentials = True
> krb5_store_password_if
On Tue, Apr 07, 2015 at 05:57:49PM +0200, Martin (Lists) wrote:
> Hallo
>
> attached you can find the data from krb_child.log. As far as I can see
> it, the three seconds are due to the communication with the kerberos
> server. (1.2.3.4 is my server).
>
> regards
> Martin
Yes. It looks like kini
On Tue, Apr 07, 2015 at 01:15:46PM -0500, Dan Mossor wrote:
> On 04/07/2015 03:05 AM, Jakub Hrozek wrote:
> >On Mon, Apr 06, 2015 at 08:01:46PM -0500, Dan Mossor wrote:
> >>On 04/05/2015 12:51 PM, Dmitri Pal wrote:
> >>>Several tips.
> >>>Please check
On Wed, Apr 08, 2015 at 09:25:33AM +0200, Chamambo Martin wrote:
> Good day
>
> I am running FreeIPA, version: 4.1.0 and everything is working well except
> SUDO configuration.
>
> I have 3 questions
>
> 1: I have configured the bare minimum sudo configuration without
> hostgroups and net
On Wed, Apr 08, 2015 at 10:00:50AM +0200, Chamambo Martin wrote:
> I have these logs and cant seem to make sense of them
These are not the logs we asked for. What we need is debug_level=6 in
the sudo section, then run sudo, then attach
/var/log/sssd/sssd_sudo.log.
It would also be nice if you c
On Wed, Apr 08, 2015 at 10:11:01AM +0200, Martin (Lists) wrote:
> Am 07.04.2015 um 18:27 schrieb Simo Sorce:
> > On Tue, 2015-04-07 at 17:57 +0200, Martin (Lists) wrote:
> >> Hallo
> >>
> >> attached you can find the data from krb_child.log. As far as I can see
> >> it, the three seconds are due to
On Wed, Apr 08, 2015 at 10:17:59AM +0200, Chamambo Martin wrote:
> I have this log after doing a debug_level=6 in the sudo section and have
> attached a txt file for the ldbsearch -H /var/lib/sss/db/cache_ai.co.zw.ldb
>
> (Wed Apr 8 10:14:52 2015) [sssd[sudo]] [sudosrv_get_sudorules_query_cache
On Wed, Apr 08, 2015 at 10:43:10AM +0200, Martin (Lists) wrote:
> Am 08.04.2015 um 10:27 schrieb Jakub Hrozek:
> > Can you run:
> > KRB5_TRACE=/dev/stderr kinit yourprinc@YOUR.REALM
> >
> > So that we can compare with the krb5_child.log you sent earlier? I
> &
On Wed, Apr 08, 2015 at 11:07:25AM +, Alexander Frolushkin wrote:
> -Original Message-
> From: Martin Kosek [mailto:mko...@redhat.com]
> Sent: Wednesday, April 08, 2015 4:47 PM
> To: Alexander Frolushkin (SIB); freeipa-users@redhat.com; Ludwig Krispenz;
> Thierry Borda
On Wed, Apr 08, 2015 at 01:39:44PM +0200, Chamambo Martin wrote:
> Sudo seems to be configured correctly but somehow it's not working
>
> Even if I do a sudo -l under the admin user
>
> [admin@ironhide tmp]$ sudo -l
> [sudo] password for admin:
> Matching Defaults entries for admin on this hos
On Wed, Apr 08, 2015 at 11:40:08AM +, Alexander Frolushkin wrote:
> After that, client are able to login via ssh on servers connected to 7.1
> servers, but still no login on client servers connected to 7.0 IPA servers...
There we might be a problem with ACIs, can you check the logs on the
cli
On Thu, Apr 09, 2015 at 09:33:25AM +0200, Chamambo Martin wrote:
> Good day
>
> I have managed to follow this guide
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/htm
> l/Deployment_Guide/SSSD-Troubleshooting.html#idp21135920 and I have
> configured my sssd.conf file a
On Thu, Apr 09, 2015 at 07:39:14PM +0200, Chamambo Martin wrote:
> I managed to follow this up and here is the error im getting
Here is the error:
> sudo: ldap sudoHost '+mailservers' ... not
> sudo: ldap sudoHost '+dev_server' ... not
> sudo: ldap sudoHost '+dev_server' ... not
> sudo: ldap sudoHo
On Thu, Apr 09, 2015 at 05:38:40PM +, Guertin, David S. wrote:
> >If your clients are RHEL 7.1, remove all of the hacks and use ID Views
> >instead.
> >https://access.redhat.com/documentation/en-
> >US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/id-
> >views.html
> >
> >ID view '
On Mon, Apr 13, 2015 at 01:15:09PM +0800, Thomas Lau wrote:
> Hi all,
>
> We have cronjob which running on a FreeIPA LDAP user; When connection
> between IPA server and client having heavy packet loss, following
> error would occur:
>
> CRON[20637]: Authentication service cannot retrieve authenti
On Mon, Apr 13, 2015 at 10:23:08AM -0400, David Guertin wrote:
> In our newly-setup IPA environment, users can log in to RHEL clients with
> the username @addomain. This works, but I've run into a problem
> with some RHEL 5 clients that are Apache servers -- the Apache UserDir
> mappings no longer
On Mon, Apr 13, 2015 at 01:02:18PM -0400, David Guertin wrote:
>
> >Said that, you can set default domain in SSSD configuration on the
> >legacy clients (RHEL 5) as then SSSD will ensure proper fully-qualified
> >name will be sent towards compat tree and non-qualified name can be
> >asked on the c
On Tue, Apr 14, 2015 at 05:36:16PM +0200, Mateusz Malek wrote:
>
>
> On Fri, Apr 10, 2015 at 08:48 PM, Jakub Hrozek wrote:
> >On Fri, Apr 10, 2015 at 12:39:20PM -0400, Dmitri Pal wrote:
> >>On 04/10/2015 08:13 AM, Mateusz Malek wrote:
> >>>I'm about to
On Thu, Apr 16, 2015 at 09:01:23AM -0400, Dmitri Pal wrote:
> On 04/16/2015 06:40 AM, Thomas Lau wrote:
> >I think the semi-online status cause SSSD confused about what to do
> >and causing it to timeout.
> >
> >So that means no fix for now.
> Not for right now.
> Please try to capture logs, If you
On Thu, Apr 16, 2015 at 01:13:56PM +, Joseph, Matthew (EXP) wrote:
> Hello,
>
> I'm running into an issue where a new user account created on the master
> server is not being seen for changing file permissions and such.
Is the new user visible on the master itself via the standard system
int
On Thu, Apr 16, 2015 at 01:42:52PM +, Joseph, Matthew (EXP) wrote:
> Hey Jakub,
>
> Getent passwd returns all of the IPA users when searching either the username
> or UID.
> Yes I know that permissions are defined by UID/GID, used a new UID that has
> not been previously used for this new a
On Wed, Apr 22, 2015 at 12:43:47AM +0200, Mateusz Malek wrote:
>
>
> On 15.04.2015 at 15:08, Lukas Slebodnik wrote:
> >On 04/10/2015 08:13 AM, Mateusz Malek wrote:
> >>I'm about to migrate my OpenLDAP-based environment to FreeIPA, however
> >>I've hit some weird performance problems. When
On Thu, Apr 30, 2015 at 03:13:44PM +0200, Martin Kosek wrote:
> On 04/30/2015 02:56 PM, Aric Wilisch wrote:
> > Is there a trick to getting a users SSH key that’s attached to their
> > FreeIPA account to work on RHEL 5 servers? users can ssh into the RHEL 6
> > clients with no issues but they sti
On Thu, Apr 30, 2015 at 04:32:30PM +0200, Lukas Slebodnik wrote:
> On (30/04/15 15:34), Jakub Hrozek wrote:
> >On Thu, Apr 30, 2015 at 03:13:44PM +0200, Martin Kosek wrote:
> >> On 04/30/2015 02:56 PM, Aric Wilisch wrote:
> >> > Is there a trick to getting a users SS
On Mon, May 04, 2015 at 09:37:11PM -0400, Megan . wrote:
> Good Evening!
>
> I'm running 3.0.0-42 on Centos 6.6.
>
> I setup a number of sudo commands today with regular expressions and
> now users seem to be having issues running any sudo command. Are
> there any known issues with having regex
On Tue, May 05, 2015 at 11:43:34PM +0300, Timo Aaltonen wrote:
> On 05.05.2015 23:27, Andrew Sacamano wrote:
> > Thanks again Lukas and Timo,
> >
> > I'm very sorry it took so long for me to get to this - I got pulled into
> > an urgent project at work and am just getting my head above water today
On Tue, May 05, 2015 at 02:21:40PM -0700, nat...@nathanpeters.com wrote:
> I'm a little confused by that.
>
> If I add the AD dc, will my client try to contact AD directly to get a
> ticket?
>
> Doesn't it have to do get the ticket through FreeIPA by proxy somehow?
No, authentication is always p
On Wed, May 06, 2015 at 06:53:49PM +, Redmond, Stacy wrote:
> That's great, I got it all working, perhaps you can answer one last question,
> although not sure this is going to be fixable or not.
>
> Anyway to get rid of the realm when using id, as you can see below, kinda
> messy.
>
> [roo
On Thu, May 07, 2015 at 01:07:58PM -0400, Dmitri Pal wrote:
> On 05/07/2015 04:37 AM, Petr Spacek wrote:
> >On 7.5.2015 09:31, Winfried de Heiden wrote:
> >>Hi all,
> >>
> >> One of the nice FreeIPA features is a host will be added to DNS
> >>automatically when the client is installed. However, in
On Thu, May 07, 2015 at 03:30:06PM +0100, Dylan Evans wrote:
> By coincidence I posted a very similar question yesterday -
> https://www.redhat.com/archives/freeipa-users/2015-May/msg00103.html.
>
> +1 for the necessary support for out-of-domain Windows clients and NTLMSSP.
>
> Is there a time-ta
On Sun, May 10, 2015 at 06:53:47PM +0200, Jakub Hrozek wrote:
> SSSD would so far only create the address family that is used to connect
> to the server. We have an RFE open to update both:
> https://fedorahosted.org/sssd/ticket/2120
> and also update the address on startup,
On Mon, May 11, 2015 at 01:19:01PM +0200, Vangass wrote:
> Hello,
>
> I have a problem with HBAC rules with conjunction with PAM authentication.
> What I try to do is to authenticate users: tac_plus - PAM (pam_sssd) -
> FreeIPA.
> It works just fine but without checking HBAC rules.
> What I did:
>
On Wed, Apr 29, 2015 at 10:57:45AM +, Andy Thompson wrote:
> In the environment I'm working on currently we have a single trusted AD
> domain and will never have any additional domain trusts in place. Is there a
> way to allow users to login without using @ad_domain in their username? We
>
On Thu, May 14, 2015 at 03:33:28PM +, Andy Thompson wrote:
> I've noticed that trusted users supplementary ad groups don't show up until
> after the users login to the box at least once.
That's expected with the versions you're running. Prior to 6.7, we could
only read the trusted users' gro
On Fri, May 15, 2015 at 09:44:31PM +0200, Lukas Slebodnik wrote:
> On (15/05/15 17:27), Andy Thompson wrote:
> >Is there a way to enforce case sensitivity for trusted AD users? I am
> trying to use username for ssh chroots and I can authenticated with any
> case combination of but if ssh is set t
On Sun, May 17, 2015 at 10:26:45PM +, Andy Thompson wrote:
> > -Original Message-
> > From: freeipa-users-boun...@redhat.com [mailto:freeipa-users-
> > boun...@redhat.com] On Behalf Of Jakub Hrozek
> > Sent: Sunday, May 17, 2015 5:23 PM
> > To: freeipa-us
On Fri, May 22, 2015 at 09:37:04AM +0200, Nikola Kržalić wrote:
> I have a ubuntu system running IPA client. I am able to log in via ssh
> using IPA users, but I do not get any group memberships or sudo rules.
> Same configuration works on a different system (running CentOS).
>
> sssd domain log o
On Wed, May 27, 2015 at 04:27:45PM -0700, nat...@nathanpeters.com wrote:
> > I have a CentOS 6.3 client with sssd 1.11.6-30.el6_6.4 installed and when
> > one of my FreeIPA users tries to sudo (he has permissions via group
> > membership) I get the following error in /var/log/messages
> >
> > May 2
On Thu, May 28, 2015 at 01:52:30PM +0200, Pavel Reichl wrote:
> Hello,
>
> as part of solution for https://fedorahosted.org/sssd/ticket/2583 ([RFE]
> Homedir is always overwritten with subdomain_homedir value in server mode)
> we came to the conclusion that it would be a good thing for SSSD in IPA
1 - 100 of 888 matches
Mail list logo