-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 03/17/2010 11:22 AM, Gerrard Geldenhuis wrote:
Hi
I was wondering if anyone has had any luck in getting FreeIPA compiled and
installed on Centos. I am struggling a bit at the moment. I have downloaded a
fedora source package which I have
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 06/08/2010 07:13 AM, Konstantin Kozlov wrote:
I've installed everything from official repos. SSSD caused problems
because ipa-client-install made a 'default' domain in sssd.conf and
sssd was looking for SRV records in DNS for LDAP and KDC with
On 01/24/2011 08:57 PM, Jeff B wrote:
I might of missed this yesterday, is it trying to bind to the apple
as Directory Manager? I thought that was for FreeIPA but now I'm not
sure. I was intending to have it do an anonymous bind to the apple.
If so I guess that would explain it.
Yes,
On 03/04/2011 02:35 AM, Steven Jones wrote:
Hi,
Thanks, I think there maybe a dependency missing for the yum install of
the clientwhen I go to the system-auth, ipa is there as an option
but its missing a .so in nss-pam-ldapd and asks for it to be installed,
the dependency off that is nscd
On 04/30/2011 08:41 AM, nasir nasir wrote:
-- About 50 Linux clients running *Kubuntu (can change this to
ubuntu if necessary)*
Just a warning that *Ubuntu - according to
http://packages.ubuntu.com/sssd - still defaults to sssd 1.2.1, even in
their natty release.
There was a number of
On 05/15/2011 06:49 AM, nasir nasir wrote:
Thanks again!
NO, it was not set. I added it manually now (*automount: ldap *) and
now a different error pops up in /var/log/messages while restarting
autofs service,
*May 15 06:32:04 hugayat automount[16256]: open_lookup:90: cannot open
lookup
On 05/16/2011 02:08 PM, nasir nasir wrote:
May 16 14:14:13 rhel automount[1787]: mount.nfs4: mounting
hugayat.cohort.org:/xtra/home/test1 failed, reason given by server:
May 16 14:14:13 rhel automount[1787]:No such file or directory
May 16 14:14:13 rhel automount[1787]: mount(nfs): nfs:
On 07/01/2011 03:48 AM, Ondrej Valousek wrote:
Hi,
On 30.06.2011 17:29, Dmitri Pal wrote:
Can you please rephrase? Do you mean that instead of documenting what
we already have or in addition to it, we should also document how to
configure automount with DNS?
Does DNS allow specifying the
On Mon, Sep 26, 2011 at 12:14:12PM +0200, Sigbjorn Lie wrote:
My systems are updated (RHEL5/6 and Fedora 15) to latest available version
from the respective
repositories. And I have no issues with libcurl.
I noticed updates from RHN a few weeks back. My current RHEL6 pkg:
On Wed, Sep 28, 2011 at 01:59:36PM -0400, Nalin Dahyabhai wrote:
On Wed, Sep 28, 2011 at 02:49:02PM +0800, Goff, Raal wrote:
The only difference I know about is that the users who CAN change their
passwords have not got an expired password (so they can login and use
kpasswd from the
On Thu, Sep 29, 2011 at 09:02:05PM +, Steven Jones wrote:
Hi,
I'm a bit unclear on a few aspects of the IPA design
In the beginning of the fedora 15 user document there is comment on load
balancing yet when you join a client its stating a specific server, so how
does that work?
On Thu, Sep 29, 2011 at 08:55:35PM +, Steven Jones wrote:
Hi,
Backing up
I cant find anything in the documentation discussing backing up and
recovering IPA/ldap?in the past I seem to recall the FDS/389 suggested
exporting the data which was then backed up.I think there was a
On Thu, Nov 24, 2011 at 01:41:30AM +, Steven Jones wrote:
When I add a host to the hbac rule and not a host group I can login
Something is wrong with the host group(s).damned if I can see what.
regards
Steven Jones
Which SSSD version is that? There was a bug (#741751) in
On Wed, Nov 30, 2011 at 01:18:46PM +0200, Lassi Pölönen wrote:
Hi,
I'm looking for implementing FreeIPA in an environment where there are
multiple customers in multiple organizations and a single organization
that manages the users, sets the access rights etc.
We don't have a centralized
On Thu, Dec 08, 2011 at 08:49:06PM +, Steven Jones wrote:
Is this user blocked from logging into a IPA client?
It is not blocked, I often use admin as a test dummy for SSSD testing.
___
Freeipa-users mailing list
Freeipa-users@redhat.com
On Sun, Dec 11, 2011 at 11:49:46PM +0100, Sigbjorn Lie wrote:
On the other hand, even though looking up users, groups and
netgroups seem fine, I cannot log in. Neither at the console, su, or
ssh. Was there an issue with HBAC rules in SSSD 1.5.13 ?
Dec 11 21:13:32 mint12 su[6769]:
On Tue, Dec 20, 2011 at 12:59:45PM -0900, Erinn Looney-Triggs wrote:
I have been working through configuring sudo via IPA and ran into the
following situation.
There is a directive in the documentation to configure
/etc/sssd/sssd.conf on the clients with something like the following:
On Mon, Jan 02, 2012 at 10:00:02AM -0500, Simo Sorce wrote:
On Sat, 2011-12-31 at 01:35 -0900, Erinn Looney-Triggs wrote:
On 12/30/2011 07:19 PM, JR Aquino wrote:
On Dec 30, 2011, at 5:45 PM, Erinn Looney-Triggs wrote:
I have been slowly rolling out FreeIPA to my systems, trying
On Mon, Jan 02, 2012 at 12:53:29PM -0500, Simo Sorce wrote:
On Mon, 2012-01-02 at 17:29 +0100, Jakub Hrozek wrote:
On Mon, Jan 02, 2012 at 10:00:02AM -0500, Simo Sorce wrote:
On Sat, 2011-12-31 at 01:35 -0900, Erinn Looney-Triggs wrote:
On 12/30/2011 07:19 PM, JR Aquino wrote
On Fri, Jan 27, 2012 at 11:47:01AM -0500, Dan Scott wrote:
Hi,
On Fri, Jan 27, 2012 at 10:48, Stephen Gallagher sgall...@redhat.com wrote:
On Fri, 2012-01-27 at 10:36 -0500, Dan Scott wrote:
Hi,
I have a Fedora 16 client running sssd-client-1.6.4-1.fc16.x86_64.
When I run, e.g. id
I wasn't sure about these two questions so I went ahead and asked the
Red Hat autofs maintainer -- I don't think he follows this list. Below
are his replies.
On Sun, Mar 11, 2012 at 09:09:17PM +0100, Natxo Asenjo wrote:
Second question: is it normal that one has to restart the autofs service
On Thu, Apr 12, 2012 at 04:09:20AM +, Steven Jones wrote:
Hi,
I have a user, myself that used to be able to login to a specific IPA client
/ host but I am no longer able to
The /var/log/secure log appears to be telling me my password is wrong, so I
reset it in IPA, but on
On Fri, Apr 13, 2012 at 01:04:55PM -0700, Brian Cook wrote:
Ideally I would rely on a -group- of servers, and then rely on DNS if it
is down. I don't want to hammer one server. We're talking about 500-1000
servers running virtual machines, so potentially a lot of traffic. Got
On Mon, Apr 16, 2012 at 09:40:16AM -0400, Dmitri Pal wrote:
On 04/13/2012 11:00 PM, Brian Cook wrote:
Yes, this is exactly what I am trying to accomplish. I've already been
looking in to the BIND views clause and would like to hear if anyone has
any feedback as to how well
On Thu, Apr 12, 2012 at 09:23:03PM +, Steven Jones wrote:
sssd log at lvl6
regards
Steven Jones
Technical Specialist - Linux RHCE
Victoria University, Wellington, NZ
0064 4 463 6272
Which SSSD version is this?
Are the clients that work OK the same version?
Can you also
On Tue, May 01, 2012 at 08:55:38PM +, Steven Jones wrote:
The sssd from rhel6.3beta workstation is 1.8.0-22.el6.x86_64
The sssd from rhel6.2 workstation is 1.5.1-66.el6_2.3.x86_64
regards
Steven Jones
Does by any chance your sssd.conf include a debug_level directive in the
[sssd]
On Wed, May 02, 2012 at 10:31:08AM -0400, Matthew Davidson wrote:
Sorry about not supplying the versions!
On the redhat 6.2 server:
ipa-admintools-2.1.3-9.el6.x86_64ipa-client-2.1.3-9.el6.x86_64ipa-server-2.1.3-9.el6.x86_64
Red Hat 5.8ipa-client-2.1.3-1.el5
I have looked over various
On Tue, May 01, 2012 at 10:12:48PM +, Steven Jones wrote:
regards
Steven Jones
Technical Specialist - Linux RHCE
Victoria University, Wellington, NZ
0064 4 463 6272
The logs only say [ipa_hbac_evaluate_rules] (3): Access granted by HBAC rule
[desktop-admins-test]. The error
On Tue, May 08, 2012 at 09:47:41PM +, Steven Jones wrote:
Hi,
Attached is a munin graph of what looks like a memory leak.I suspect (if
you look at the munin monthly month graph) we had no issue until I think we
patched..I need to ask my admins if they did patch ...(they are
On Mon, May 14, 2012 at 09:01:34AM +0200, Jan-Frode Myklebust wrote:
We have two datacenters, site-A and site-B, and would like to server the
users' home directories from a local NFS-server at each location to avoid
cross site mounts. Is this something the automount maps in IPA can help
us
On Fri, May 18, 2012 at 02:27:15PM -0700, Gelen James wrote:
Hi all,
Just like to clarify my confusion: Are the HBAC (Host Based Access
Control) rules immediately in effect after IPA client software
configurations through sssd? Do we have any options inside sssd.conf to
On Fri, May 18, 2012 at 02:35:18PM -0700, Gelen James wrote:
Hi all,
Are the sudo rules applied to IPA clients through nss_ldap, instead of
sssd?
Neither :-)
sudo looks up the user information via the standard name-service-switch
maps, so if your machine is configured to fetch user
On Sat, May 19, 2012 at 03:11:44PM -0700, David Copperfield wrote:
Hi Jakub and Rich,
Got it.
Thanks a lot on the HBAC and sudoes maps access. I think I got confused
with the graph in the powerpoint
presentation
On Sat, Jun 09, 2012 at 03:24:44AM -0700, Joe Linoff wrote:
Hi:
I read somewhere that I should turn off the NetworkManager service on
the IPA server. Should I do same on the clients?
It doesn't really matter for the SSSD, we don't use NM for anything but
we don't mind it running either.
On Mon, Jul 23, 2012 at 06:22:55PM -0400, Rob Crittenden wrote:
Joe Linoff wrote:
Hi Steve:
Thank you for your suggestions.
In the gui you can do a hbac test of the rule.
I ran the hbactest rule testing from the command line using “ipa
hbactest …”. It showed that the rules were
On Wed, Jul 25, 2012 at 02:38:36PM -0700, Joe Linoff wrote:
As Rob says, I think we should take a look at SSSD and system logs.
Can you paste or attach the couple of lines that are appended to
/var/log/secure during
the login attempt? That should give us a clue on whether the SSSD
On Thu, Jul 26, 2012 at 01:39:12AM +, Steven Jones wrote:
I am now getting this
Steven, are you saying you can't login even though hbactest passes for
your user?
Can you then append or paste the last couple of lines of
/var/log/secure and the relevat part of the SSSD domain log?
On Thu, Jul 26, 2012 at 09:12:35PM +, Steven Jones wrote:
Yes,
So, I reset the password and that failed, so I added the user to my desktop
group logged in to my desktop with ssh localhost and set the password, then I
could log into the client fine. Other users had no problem logging
On Wed, Aug 08, 2012 at 10:45:47AM -0800, Erinn Looney-Triggs wrote:
An interesting problem has popped up and I am not sure where the issue
lies. Users logging in are presented with cannot find name for user ID
etc. etc. for all groups they are a member of
id returns nothing but the numbers,
On Thu, Aug 09, 2012 at 12:52:47AM -0800, Erinn Looney-Triggs wrote:
On 08/08/2012 01:11 PM, Jakub Hrozek wrote:
On Wed, Aug 08, 2012 at 10:45:47AM -0800, Erinn Looney-Triggs wrote:
An interesting problem has popped up and I am not sure where the issue
lies. Users logging in are presented
On Fri, Aug 10, 2012 at 05:22:11PM -0600, bin.e...@gmail.com wrote:
Hi Dmitri,
That is the doc I don't understand.
I mean, if I follow those directions, it should just work?
But where do the automaps come from once I switch over to LDAP? How to
I administrate the mappings for things
On Tue, Aug 14, 2012 at 03:28:52PM -0500, KodaK wrote:
I apologize in advance for not having very much information to go on.
We have exactly 100 hosts in IPA right now. On occasion, maybe once
or twice a day, all authentication just pauses for some amount of
time. It can range from just a
On Wed, Aug 15, 2012 at 09:03:37PM +, Steven Jones wrote:
Is there a bugtraq?
https://fedorahosted.org/sssd/ticket/1447
https://bugzilla.redhat.com/show_bug.cgi?id=845253
regards
Steven Jones
Technical Specialist - Linux RHCE
Victoria University, Wellington, NZ
0064 4 463
On Thu, Aug 16, 2012 at 09:00:23PM +, Steven Jones wrote:
Hi,
What is the default length of time the sssd daemon on a client caches for
once IPA is off line pls?
If the IPA provider is offline, we never remove anything from the cache, so
indefinitely.
If the provider is online, we
On Mon, Aug 20, 2012 at 02:48:30PM +0100, Innes, Duncan wrote:
Folks,
Hopefully this isn't a dumb question, but I'm constrained by a few
things on my estate and would be looking to deploy something like the
following:
2 Datacentres
2 IPA servers at each datacentre
ipa1.domain.com \_
On Tue, Aug 28, 2012 at 01:54:12PM -0800, Erinn Looney-Triggs wrote:
I am hoping I haven't missed something here, but it appears that the
SELinux user mapping portion is not working for me. This is tested on a
RHEL 6.3 client and server.
The rule I have:
Rule name: Developers staff_U
On Tue, Sep 04, 2012 at 11:02:36AM -0700, george he wrote:
Hi all,
This is another issue I'm having with another ipa client.
Both the sever and the client are centos 6.3
The client was configured all right. I was able to log on at a point.
but then after the screen was auto-locked over the
On Mon, Sep 10, 2012 at 09:08:07AM -0400, Rob Crittenden wrote:
Dmitri Pal wrote:
On 09/07/2012 04:50 PM, Rob Crittenden wrote:
Michael Mercier wrote:
On 2012-09-07, at 2:47 PM, Dmitri Pal wrote:
On 09/07/2012 12:42 PM, Michael Mercier wrote:
On 2012-09-07, at 12:14 PM, Dmitri Pal wrote:
On Mon, Sep 17, 2012 at 11:17:47AM -0400, Dmitri Pal wrote:
[root@ipaserver2 ~]ifdown eth0 # NOTE: ipaserver2 is 172.16.112.8
[root@ipaclient ~]# SSSD_KRB5_LOCATOR_DEBUG=1 kinit mike
[sssd_krb5_locator] sssd_krb5_locator_init called
[sssd_krb5_locator] Found [172.16.112.8] in
On Tue, Sep 18, 2012 at 02:38:13PM -0400, Michael Mercier wrote:
On 2012-09-18, at 4:03 AM, Jakub Hrozek wrote:
On Mon, Sep 17, 2012 at 11:17:47AM -0400, Dmitri Pal wrote:
[root@ipaserver2 ~]ifdown eth0 # NOTE: ipaserver2 is 172.16.112.8
[root@ipaclient ~]# SSSD_KRB5_LOCATOR_DEBUG
On Tue, Sep 18, 2012 at 09:43:48PM -0400, Tim Hildred wrote:
So, commenting out:
passwordrequisite pam_cracklib.so try_first_pass retry=3 type=
dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8
Caused users updating their passwords using ssh to get:
[ykatabam@ykatabam ~]$ ssh
On Wed, Sep 19, 2012 at 12:27:25PM -0400, Dmitri Pal wrote:
On 09/19/2012 12:11 PM, Jakub Hrozek wrote:
On Wed, Sep 19, 2012 at 12:00:08PM -0400, Michael Mercier wrote:
On 2012-09-18, at 4:03 PM, Jakub Hrozek wrote:
On Tue, Sep 18, 2012 at 02:38:13PM -0400, Michael Mercier wrote
On Thu, Sep 27, 2012 at 08:18:21AM +0200, David Sastre wrote:
On Wed, Sep 26, 2012 at 11:08 PM, David Sastre Medina
d.sastre.med...@gmail.com wrote:
On Wed, Sep 26, 2012 at 03:06:40PM -0400, Rob Crittenden wrote:
David Sastre wrote:
[big snip]
Does sssd work on this machine
On Thu, Sep 27, 2012 at 09:56:02AM +0200, Pieter Baele wrote:
Hi,
Two problems with FreeIPA 3 on an updated fedora 17 (updates-testing enabled)
1) dependency error for libsss_sudo
Error: Package: sudo-1.8.3p1-7.fc17.x86_64 (@updates)
Requires:
On Tue, Oct 02, 2012 at 10:39:29AM +0200, David Sastre wrote:
sudo works correctly again, thanks to the people in this list who spend
time looking into this and pointed me in the right direction.
I'm sorry I missed your previous reply, David.
Glad sudo works for you now!
On Tue, Oct 09, 2012 at 12:04:24AM +0200, Sigbjorn Lie wrote:
Hi,
Hi Siggi,
3. sudo integration with SSSD does not work when anonymous LDAP
authentication is disabled at the server. Enabling verbose logging
in SSSD seem to suggest that it's attempting anonymous auth only.
On Thu, Oct 11, 2012 at 02:44:04AM -0700, Joe Linoff wrote:
I am not sure how to debug this.
I would start with attaching the relevant contents of /var/log/secure.
Do they differ on the host that succeeds vs the one that fails?
___
Freeipa-users
On Sun, Nov 11, 2012 at 04:37:46PM -0600, Anthony Messina wrote:
After upgrading to freeipa-{client,server}-2.2.1-1.fc17.x86_64 today, my
clients are no longer able to login via kdm or ssh (and perhaps others). The
secure log shows the following:
sshd[28922]: pam_sss(sshd:account): Access
On Thu, Nov 29, 2012 at 10:26:00AM -0500, Rob Crittenden wrote:
小龙 陈 wrote:
Hi,
I've been working on porting the FreeIPA client to Arch Linux lately and
I'm now to the last step of the puzzle. Everything works the way it
should, except for PAM, which I don't know how to setup.
I must
On Wed, Dec 05, 2012 at 02:20:40PM +0100, Natxo Asenjo wrote:
hi,
why would I want sssd to cache group/hostgroup/netgroup membership?
Is the performance hit so huge on the ldap servers?
I ask this because Windows admins are used to apply membership of
groups to objects and the changes
On Wed, Dec 05, 2012 at 03:19:51PM +0100, Natxo Asenjo wrote:
On Wed, Dec 5, 2012 at 3:11 PM, Jakub Hrozek jhro...@redhat.com wrote:
On Wed, Dec 05, 2012 at 02:20:40PM +0100, Natxo Asenjo wrote:
hi,
why would I want sssd to cache group/hostgroup/netgroup membership?
Is the performance
On Fri, Dec 07, 2012 at 09:33:22AM -0500, Rob Crittenden wrote:
Albert Adams wrote:
Rob,
There are no HBAC rules defined other than the default allow_all rule
which has not been customized. It is a vanilla instal at this point. I
have not added anything other than the replica, a few
On Tue, Dec 11, 2012 at 11:25:57AM -0500, Dmitri Pal wrote:
The native integration in SSSD was a tech preview in 6.3 and was pretty
much broken.
It wasn't a TP in 6.3 because the sudo 1.8 package wasn't in 6.3 all.
It was rewritten after F-17, because its cache update mechanism was extremely
On Mon, Dec 17, 2012 at 04:03:03PM -0500, Dmitri Pal wrote:
On 12/17/2012 03:11 PM, KodaK wrote:
I'm attempting to install Satellite in my IPA domain. There is a
ridiculous requirement that the group dba must not already exist
prior to installing. Red Hat support wanted me to *remove* the
On Tue, Dec 18, 2012 at 10:39:56AM +0100, Jakub Hrozek wrote:
On Mon, Dec 17, 2012 at 04:03:03PM -0500, Dmitri Pal wrote:
On 12/17/2012 03:11 PM, KodaK wrote:
I'm attempting to install Satellite in my IPA domain. There is a
ridiculous requirement that the group dba must not already exist
On Tue, Dec 18, 2012 at 09:07:25AM -0600, KodaK wrote:
On Tue, Dec 18, 2012 at 3:51 AM, Jakub Hrozek jhro...@redhat.com wrote:
On Tue, Dec 18, 2012 at 10:39:56AM +0100, Jakub Hrozek wrote:
On Mon, Dec 17, 2012 at 04:03:03PM -0500, Dmitri Pal wrote:
On 12/17/2012 03:11 PM, KodaK wrote
On Fri, Dec 21, 2012 at 06:42:40PM +0100, Natxo Asenjo wrote:
On Thu, Dec 20, 2012 at 4:43 PM, Han Boetes hboe...@gmail.com wrote:
Hi,
I discovered that using this recipe makes setting up sudo-ldap very simple.
Even when anonymous binds is disabled.
Thanks! I have not yet used sudo
On Mon, Jan 07, 2013 at 12:18:12PM +0100, Natxo Asenjo wrote:
hi,
in sssd.conf I have this regarding netgroup caching info:
entry_cache_netgroup_timeout = 300
After the file was modified, the sssd daemon was reloaded.
However, the values are still being cached for 90 minutes (default
On Mon, Jan 07, 2013 at 01:17:21PM +0100, Natxo Asenjo wrote:
On Mon, Jan 7, 2013 at 1:07 PM, Jakub Hrozek jhro...@redhat.com wrote:
On Mon, Jan 07, 2013 at 12:18:12PM +0100, Natxo Asenjo wrote:
hi,
in sssd.conf I have this regarding netgroup caching info:
entry_cache_netgroup_timeout
On Mon, Jan 07, 2013 at 03:55:49PM +0100, Natxo Asenjo wrote:
hi,
On Mon, Jan 7, 2013 at 3:20 PM, Jakub Hrozek jhro...@redhat.com wrote:
On Mon, Jan 07, 2013 at 01:17:21PM +0100, Natxo Asenjo wrote:
On Mon, Jan 7, 2013 at 1:07 PM, Jakub Hrozek jhro...@redhat.com wrote:
On Mon, Jan 07
On Tue, Jan 08, 2013 at 11:49:11AM -0900, Erinn Looney-Triggs wrote:
On 01/08/13 11:44, Rob Crittenden wrote:
Simo Sorce wrote:
On Tue, 2013-01-08 at 19:31 +, Steven Jones wrote:
HI,
I assume RHEL 6.4 is GA shortly just how straigh forward is the
upgrade from one IPA version to
On Tue, Jan 22, 2013 at 11:02:39AM -0500, Rob Crittenden wrote:
free...@noboost.org wrote:
Hi,
Has anyone had success with installing the IPA client on Fedora 18 (with
SeLinux disabled)?
Server:
Red Hat Enterprise Linux Server release 6.3 (Santiago)
* ipa-server-2.2.0-16.el6.x86_64
= A security bug in SSSD 1.8 and 1.9 ===
=
= Subject: out-of-bounds reads in autofs and ssh responder
=
= CVE ID#: CVE-2013-0220
=
= Summary: Multiple out-of-bounds buffer read flaws were found in
= the way the autofs and ssh
On Wed, Jan 30, 2013 at 12:02:30PM -0500, free...@stormcloud9.net wrote:
On 2013/30/01 11:59, Dmitri Pal wrote:
On 01/30/2013 11:43 AM, free...@stormcloud9.net wrote:
On 2013/30/01 09:37, Martin Kosek wrote:
On 01/30/2013 03:22 PM, free...@stormcloud9.net wrote:
On 2013/30/01 09:19,
On Mon, Feb 18, 2013 at 12:16:33AM -0500, Dmitri Pal wrote:
On 02/17/2013 03:55 PM, Jan-Frode Myklebust wrote:
On Sun, Feb 17, 2013 at 09:48:10PM +0100, Jan-Frode Myklebust wrote:
(Sun Feb 17 21:40:07 2013) [sssd[be[IPALDAP]]] [sdap_fill_memberships]
(7): member #2
On Thu, Feb 21, 2013 at 03:07:10PM +0100, Han Boetes wrote:
This is what you have to do to enable sudo support while using freeipa: I
got it all from
sssd-sudo(5).
# yum install libsss_sudo
Add this line to /etc/nsswitch.conf
sudoers: files sss
Edit /etc/sssd/sssd.conf and make
On Sat, Feb 23, 2013 at 10:40:03PM +, Dale Macartney wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 02/23/2013 10:36 PM, Rob Crittenden wrote:
Dale Macartney wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Even folks
I've verified this both in a kickstart
On Mon, Feb 25, 2013 at 10:30:44AM +, Dale Macartney wrote:
What state is your SELinux in? Permissive/Enforcing/Disabled ?
Another fail on my part. Works fine in permissive mode.
No, the SSSD should be working out of the box with SELinux Enforcing.
AVC denials listed below..
On Mon, Feb 25, 2013 at 11:06:09AM +, Dale Macartney wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 02/25/2013 10:58 AM, Jakub Hrozek wrote:
On Mon, Feb 25, 2013 at 10:30:44AM +, Dale Macartney wrote:
What state is your SELinux in? Permissive/Enforcing/Disabled
On Tue, Feb 26, 2013 at 02:36:42PM -0500, Dmitri Pal wrote:
On 02/26/2013 02:29 PM, KodaK wrote:
I know that at some point the sssd package (or maybe the tools
package) started including sss_cache for managing the sssd cache. I
have some RHEL5 boxes that don't have this utility.
I've
On Wed, Feb 27, 2013 at 08:19:27AM +0100, Jan-Frode Myklebust wrote:
What does it mean to have several domains listed in sssd.conf ? Will
they all be queried on each login, or will only the first domain be
queried if the user/groups is found there?
If the user is found in the first domain,
On Wed, Feb 27, 2013 at 09:47:39AM +0100, Jan-Frode Myklebust wrote:
On Wed, Feb 27, 2013 at 09:31:43AM +0100, Jakub Hrozek wrote:
Are there any issues you are seeing with IPA's sssd_be? It would
definitely be better to fix those first rather than attempting a
workaround like
On Tue, Mar 19, 2013 at 09:41:23PM +0100, Jan-Frode Myklebust wrote:
Hello Jan,
I'm sorry you're seeing performance problems.
We're struggeling with the performance of IPA, and have tried switching
to the ldap backend for sssd to be able to see what's happening. The
attached trace is from a
On Tue, Mar 19, 2013 at 11:05:14PM +0100, Jan-Frode Myklebust wrote:
On Tue, Mar 19, 2013 at 10:01:16PM +0100, Jakub Hrozek wrote:
Hello Jan,
I'm sorry you're seeing performance problems.
We have been struggeling with performance and crashes for a while now.
Have had one crash were
On Wed, Mar 20, 2013 at 02:04:24PM +0100, Jan-Frode Myklebust wrote:
On Wed, Mar 20, 2013 at 10:44:10AM +0100, Jakub Hrozek wrote:
This really sounds like a bug. If you encounter a situation like this,
where a group does not show all its members, feel free to open a bug.
I have been
On Thu, Mar 21, 2013 at 11:43:55AM +0100, Jan-Frode Myklebust wrote:
On Wed, Mar 20, 2013 at 02:29:07PM +0100, Jakub Hrozek wrote:
I think pasting or attaching SSSD logs would be a good start. Can you
put debug_level = 6 into your sssd.conf into the [pam] and [domain]
sections restart
On Thu, Mar 21, 2013 at 06:58:00PM +0100, Jakub Hrozek wrote:
On Thu, Mar 21, 2013 at 11:39:27PM +0600, Arthur Fayzullin wrote:
HI!
I have configured sssd_sudo integration on EL6.4 and it works nice!
But then I've checked this:
[afaizullin@domen00 ~]$ sudo package-cleanup --leaves
[sudo
On Thu, Mar 21, 2013 at 09:57:50PM +0100, Jan-Frode Myklebust wrote:
On Thu, Mar 21, 2013 at 03:29:38PM +0100, Jakub Hrozek wrote:
I see several failures related to the SELinux processing:
---
(Thu Mar 21 08:23:57 2013) [sssd[be[example.net]]]
[ipa_selinux_get_maps_done
On Thu, Mar 28, 2013 at 09:56:32AM +0200, pekka.pan...@sofor.fi wrote:
Hi all
I have changed default shell to /bin/bash, but it seems when i logon to
Linux server with my AD username it executes /bin/sh anyway.
When i login with IPA account, it executes /bin/bash.
So my question is how
On Thu, Mar 28, 2013 at 01:14:34PM +0200, pekka.pan...@sofor.fi wrote:
Hi all again
I have lots of CentOS 5.x servers and i tested one to install ipa-client
and managed to join it to my ipa domain.
I want also my AD users (from IPA trust) to login inside thru ssh but
afaik this seems
On Tue, Apr 02, 2013 at 08:43:18AM +0300, pekka.pan...@sofor.fi wrote:
Rob Crittenden rcrit...@redhat.com wrote on 29.03.2013 01:09:49:
Anyhow, you can override the shell on the client using the
override_shell directive of sssd.conf. Simply put it into the
domain
section and
On Wed, Apr 03, 2013 at 06:25:54PM -0400, Dmitri Pal wrote:
On 04/02/2013 01:57 AM, pekka.pan...@sofor.fi wrote:
From: Dmitri Pal d...@redhat.com
I want also my AD users (from IPA trust) to login inside thru ssh
but
afaik this seems to have some older SSSD version and same
On Thu, Apr 04, 2013 at 03:27:37PM -0400, Shawn wrote:
Hi,
I have configured a ipa-server, replica and client.
In the GUI I can see that all hosts are in the hosts list.. I have
created a single user as well and attached that user to the client.
When trying to login as the user to the
On Fri, Apr 05, 2013 at 02:00:58PM +0200, Jan-Frode Myklebust wrote:
On Fri, Mar 22, 2013 at 06:43:07PM +0100, Jan-Frode Myklebust wrote:
Does the problem go away if you set:
selinux_provider = none
Sorry, no. Also the No SELinux user maps found! didn't go away.
At Apr 5
On Fri, Apr 05, 2013 at 02:42:33PM +0200, Jan-Frode Myklebust wrote:
On Fri, Apr 05, 2013 at 08:19:21AM -0400, Dmitri Pal wrote:
SELinux seems to be OK but the log definitely showing that not all users
are successfully stored in a group.
Hmm.. I've noticed that in
On Fri, Apr 05, 2013 at 02:00:58PM +0200, Jan-Frode Myklebust wrote:
On Fri, Mar 22, 2013 at 06:43:07PM +0100, Jan-Frode Myklebust wrote:
Does the problem go away if you set:
selinux_provider = none
Sorry, no. Also the No SELinux user maps found! didn't go away.
At Apr 5
On Mon, Apr 08, 2013 at 12:40:53PM +0200, Jan-Frode Myklebust wrote:
On Mon, Apr 08, 2013 at 12:26:43PM +0200, Jakub Hrozek wrote:
I tried a similar case locally and everything worked for me. In the
domain log I saw:
[sssd[be[idm.lab.bos.redhat.com]]] [be_pam_handler_callback] (0x0400
On Wed, Apr 10, 2013 at 02:11:14PM -0400, Rob Crittenden wrote:
Shawn wrote:
[root@freeipa ~]# ipa hbactest --user=myuser --host=my.fqdn. --service=sshd
Access granted: True
Matched rules: allow_all
[root@freeipa ~]#
└─ ssh
On Wed, Apr 10, 2013 at 02:27:36PM -0400, Shawn wrote:
(Wed Apr 10 14:22:45 2013) [sssd[pam]] [write_selinux_login_file] (0x0040):
creating the temp file for SELinux data failed.
/etc/selinux/targeted/logins/staajtlQ108(Wed Apr 10 14:22:45 2013)
[sssd[pam]] [pam_reply] (0x0100): blen: 30
I
On Wed, Apr 10, 2013 at 02:49:46PM -0400, Shawn wrote:
Yep, sure does. Thanks much.
If selinux is disabled, why does it care?
It's an SSSD bug:
https://bugzilla.redhat.com/show_bug.cgi?id=914433
We didn't realize that SELinux disabled might mean that the directory is
not there at all.
1 - 100 of 803 matches
Mail list logo
