Re: [Freeipa-users] Installing on Centos

2010-03-17 Thread Jakub Hrozek
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/17/2010 11:22 AM, Gerrard Geldenhuis wrote: Hi I was wondering if anyone has had any luck in getting FreeIPA compiled and installed on Centos. I am struggling a bit at the moment. I have downloaded a fedora source package which I have

Re: [Freeipa-users] can't reset password on fedora 13

2010-06-08 Thread Jakub Hrozek
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 06/08/2010 07:13 AM, Konstantin Kozlov wrote: I've installed everything from official repos. SSSD caused problems because ipa-client-install made a 'default' domain in sssd.conf and sssd was looking for SRV records in DNS for LDAP and KDC with

Re: [Freeipa-users] Invalid Credentials error on migrate-ds

2011-01-24 Thread Jakub Hrozek
On 01/24/2011 08:57 PM, Jeff B wrote: I might of missed this yesterday, is it trying to bind to the apple as Directory Manager? I thought that was for FreeIPA but now I'm not sure. I was intending to have it do an anonymous bind to the apple. If so I guess that would explain it. Yes,

Re: [Freeipa-users] Unable to authenticate a client user against IPA

2011-03-03 Thread Jakub Hrozek
On 03/04/2011 02:35 AM, Steven Jones wrote: Hi, Thanks, I think there maybe a dependency missing for the yum install of the clientwhen I go to the system-auth, ipa is there as an option but its missing a .so in nss-pam-ldapd and asks for it to be installed, the dependency off that is nscd

Re: [Freeipa-users] FreeIPA for Linux desktop deployment

2011-05-01 Thread Jakub Hrozek
On 04/30/2011 08:41 AM, nasir nasir wrote: -- About 50 Linux clients running *Kubuntu (can change this to ubuntu if necessary)* Just a warning that *Ubuntu - according to http://packages.ubuntu.com/sssd - still defaults to sssd 1.2.1, even in their natty release. There was a number of

Re: [Freeipa-users] RHEL client to IPA

2011-05-13 Thread Jakub Hrozek
On 05/13/2011 06:00 AM, Steven Jones wrote: [root@vuwunicoipamt01 etc]# ipa-getkeytab -k /tmp/vuwnicologint2.keytab -p host/vuwunicologint2.unix.vuw.ac.nz -s vuwunicoipamt01.unix.vuw.ac.nz -p admin The second -p overrides the first. signature.asc Description: OpenPGP digital signature

Re: [Freeipa-users] FreeIPA for Linux desktop deployment

2011-05-16 Thread Jakub Hrozek
On 05/15/2011 06:49 AM, nasir nasir wrote: Thanks again! NO, it was not set. I added it manually now (*automount: ldap *) and now a different error pops up in /var/log/messages while restarting autofs service, *May 15 06:32:04 hugayat automount[16256]: open_lookup:90: cannot open lookup

Re: [Freeipa-users] FreeIPA for Linux desktop deployment

2011-05-16 Thread Jakub Hrozek
On 05/16/2011 02:08 PM, nasir nasir wrote: May 16 14:14:13 rhel automount[1787]: mount.nfs4: mounting hugayat.cohort.org:/xtra/home/test1 failed, reason given by server: May 16 14:14:13 rhel automount[1787]:No such file or directory May 16 14:14:13 rhel automount[1787]: mount(nfs): nfs:

Re: [Freeipa-users] Automounter maps

2011-07-01 Thread Jakub Hrozek
On 07/01/2011 03:48 AM, Ondrej Valousek wrote: Hi, On 30.06.2011 17:29, Dmitri Pal wrote: Can you please rephrase? Do you mean that instead of documenting what we already have or in addition to it, we should also document how to configure automount with DNS? Does DNS allow specifying the

Re: [Freeipa-users] authconfig-gtk sssd

2011-08-16 Thread Jakub Hrozek
On Tue, Aug 16, 2011 at 12:47:19PM +0200, Ondrej Valousek wrote: Hi List, Quick question - is there any plan to enable system-config-authentication to enable/configure sssd on RH-5/6 systems? Thanks, Ondrej I should be already possible in RHEL6 provided you tell authconfig to use

Re: [Freeipa-users] authconfig-gtk sssd

2011-08-16 Thread Jakub Hrozek
On Tue, Aug 16, 2011 at 03:06:01PM +0200, Ondrej Valousek wrote: Hi Jakub, Ok, I have already found out - sorry for the noise. Still I have a few questions about sssd-ldap plugin (strange DNS SRV usage, inability to detect krb5 realm automatically) - which forum is the best for this type of

Re: [Freeipa-users] sssd issues

2011-08-16 Thread Jakub Hrozek
On Tue, Aug 16, 2011 at 03:56:48PM +0200, Ondrej Valousek wrote: Hi list, Ok here is the list of issues I discovered while configuring sssd against Win2008 AD rfc2307bis schema: 1. If I specify both dns_discovery_domain and ldap_uri parameters then what happens is that dns srv discovery

Re: [Freeipa-users] libcurl fix

2011-09-26 Thread Jakub Hrozek
On Mon, Sep 26, 2011 at 12:14:12PM +0200, Sigbjorn Lie wrote: My systems are updated (RHEL5/6 and Fedora 15) to latest available version from the respective repositories. And I have no issues with libcurl. I noticed updates from RHN a few weeks back. My current RHEL6 pkg:

Re: [Freeipa-users] Change Password problems (Unsupported Version)

2011-09-28 Thread Jakub Hrozek
On Wed, Sep 28, 2011 at 01:59:36PM -0400, Nalin Dahyabhai wrote: On Wed, Sep 28, 2011 at 02:49:02PM +0800, Goff, Raal wrote: The only difference I know about is that the users who CAN change their passwords have not got an expired password (so they can login and use kpasswd from the

Re: [Freeipa-users] Load balancing

2011-09-29 Thread Jakub Hrozek
On Thu, Sep 29, 2011 at 09:02:05PM +, Steven Jones wrote: Hi, I'm a bit unclear on a few aspects of the IPA design In the beginning of the fedora 15 user document there is comment on load balancing yet when you join a client its stating a specific server, so how does that work?

Re: [Freeipa-users] backing up and restoring the backend

2011-09-29 Thread Jakub Hrozek
On Thu, Sep 29, 2011 at 08:55:35PM +, Steven Jones wrote: Hi, Backing up I cant find anything in the documentation discussing backing up and recovering IPA/ldap?in the past I seem to recall the FDS/389 suggested exporting the data which was then backed up.I think there was a

Re: [Freeipa-users] HBAC rules not working

2011-11-24 Thread Jakub Hrozek
On Thu, Nov 24, 2011 at 01:41:30AM +, Steven Jones wrote: When I add a host to the hbac rule and not a host group I can login Something is wrong with the host group(s).damned if I can see what. regards Steven Jones Which SSSD version is that? There was a bug (#741751) in

Re: [Freeipa-users] Limiting group/user visibility

2011-12-01 Thread Jakub Hrozek
On Wed, Nov 30, 2011 at 01:18:46PM +0200, Lassi Pölönen wrote: Hi, I'm looking for implementing FreeIPA in an environment where there are multiple customers in multiple organizations and a single organization that manages the users, sets the access rights etc. We don't have a centralized

Re: [Freeipa-users] admin

2011-12-08 Thread Jakub Hrozek
On Thu, Dec 08, 2011 at 08:49:06PM +, Steven Jones wrote: Is this user blocked from logging into a IPA client? It is not blocked, I often use admin as a test dummy for SSSD testing. ___ Freeipa-users mailing list Freeipa-users@redhat.com

Re: [Freeipa-users] sssd in Ubuntu

2011-12-12 Thread Jakub Hrozek
On Sun, Dec 11, 2011 at 11:49:46PM +0100, Sigbjorn Lie wrote: On the other hand, even though looking up users, groups and netgroups seem fine, I cannot log in. Neither at the console, su, or ssh. Was there an issue with HBAC rules in SSSD 1.5.13 ? Dec 11 21:13:32 mint12 su[6769]:

Re: [Freeipa-users] Sudo configuration question

2011-12-21 Thread Jakub Hrozek
On Tue, Dec 20, 2011 at 12:59:45PM -0900, Erinn Looney-Triggs wrote: I have been working through configuring sudo via IPA and ran into the following situation. There is a directive in the documentation to configure /etc/sssd/sssd.conf on the clients with something like the following:

Re: [Freeipa-users] Large slow down when using IPA

2012-01-02 Thread Jakub Hrozek
On Mon, Jan 02, 2012 at 10:00:02AM -0500, Simo Sorce wrote: On Sat, 2011-12-31 at 01:35 -0900, Erinn Looney-Triggs wrote: On 12/30/2011 07:19 PM, JR Aquino wrote: On Dec 30, 2011, at 5:45 PM, Erinn Looney-Triggs wrote: I have been slowly rolling out FreeIPA to my systems, trying

Re: [Freeipa-users] Large slow down when using IPA

2012-01-02 Thread Jakub Hrozek
On Mon, Jan 02, 2012 at 12:53:29PM -0500, Simo Sorce wrote: On Mon, 2012-01-02 at 17:29 +0100, Jakub Hrozek wrote: On Mon, Jan 02, 2012 at 10:00:02AM -0500, Simo Sorce wrote: On Sat, 2011-12-31 at 01:35 -0900, Erinn Looney-Triggs wrote: On 12/30/2011 07:19 PM, JR Aquino wrote

Re: [Freeipa-users] Fedora 16 client not getting group names

2012-01-27 Thread Jakub Hrozek
On Fri, Jan 27, 2012 at 11:47:01AM -0500, Dan Scott wrote: Hi, On Fri, Jan 27, 2012 at 10:48, Stephen Gallagher sgall...@redhat.com wrote: On Fri, 2012-01-27 at 10:36 -0500, Dan Scott wrote: Hi, I have a Fedora 16 client running sssd-client-1.6.4-1.fc16.x86_64. When I run, e.g. id

Re: [Freeipa-users] automount questions

2012-03-12 Thread Jakub Hrozek
I wasn't sure about these two questions so I went ahead and asked the Red Hat autofs maintainer -- I don't think he follows this list. Below are his replies. On Sun, Mar 11, 2012 at 09:09:17PM +0100, Natxo Asenjo wrote: Second question: is it normal that one has to restart the autofs service

Re: [Freeipa-users] Unable to login where previously OK

2012-04-12 Thread Jakub Hrozek
On Thu, Apr 12, 2012 at 04:09:20AM +, Steven Jones wrote: Hi, I have a user, myself that used to be able to login to a specific IPA client / host but I am no longer able to The /var/log/secure log appears to be telling me my password is wrong, so I reset it in IPA, but on

Re: [Freeipa-users] routing requests to local servers

2012-04-13 Thread Jakub Hrozek
On Fri, Apr 13, 2012 at 01:04:55PM -0700, Brian Cook wrote: Ideally I would rely on a -group- of servers, and then rely on DNS if it is down. I don't want to hammer one server. We're talking about 500-1000 servers running virtual machines, so potentially a lot of traffic. Got

Re: [Freeipa-users] routing requests to local servers - DNS SRV + view?

2012-04-16 Thread Jakub Hrozek
On Mon, Apr 16, 2012 at 09:40:16AM -0400, Dmitri Pal wrote: On 04/13/2012 11:00 PM, Brian Cook wrote: Yes, this is exactly what I am trying to accomplish. I've already been looking in to the BIND views clause and would like to hear if anyone has any feedback as to how well

Re: [Freeipa-users] Unable to login where previously OK

2012-04-16 Thread Jakub Hrozek
On Thu, Apr 12, 2012 at 09:23:03PM +, Steven Jones wrote: sssd log at lvl6 regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 Which SSSD version is this? Are the clients that work OK the same version? Can you also

Re: [Freeipa-users] Unable to login to some clients if one of the IPA servers is down.

2012-05-01 Thread Jakub Hrozek
On Tue, May 01, 2012 at 08:41:22PM +, Steven Jones wrote: Which sssd.conf's? The machines you are logging to. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Trying to trace why a user cannot login to a client

2012-05-01 Thread Jakub Hrozek
On Tue, May 01, 2012 at 08:55:38PM +, Steven Jones wrote: The sssd from rhel6.3beta workstation is 1.8.0-22.el6.x86_64 The sssd from rhel6.2 workstation is 1.5.1-66.el6_2.3.x86_64 regards Steven Jones Does by any chance your sssd.conf include a debug_level directive in the [sssd]

Re: [Freeipa-users] red hat 5 install. red hat 5 and 6 compatability

2012-05-02 Thread Jakub Hrozek
On Wed, May 02, 2012 at 10:31:08AM -0400, Matthew Davidson wrote: Sorry about not supplying the versions! On the redhat 6.2 server: ipa-admintools-2.1.3-9.el6.x86_64ipa-client-2.1.3-9.el6.x86_64ipa-server-2.1.3-9.el6.x86_64 Red Hat 5.8ipa-client-2.1.3-1.el5 I have looked over various

Re: [Freeipa-users] Trying to trace why a user cannot login to a client

2012-05-08 Thread Jakub Hrozek
On Tue, May 01, 2012 at 10:12:48PM +, Steven Jones wrote: regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463 6272 The logs only say [ipa_hbac_evaluate_rules] (3): Access granted by HBAC rule [desktop-admins-test]. The error

Re: [Freeipa-users] Trying to trace why a user cannot login to a client

2012-05-10 Thread Jakub Hrozek
On Tue, May 08, 2012 at 09:47:41PM +, Steven Jones wrote: Hi, Attached is a munin graph of what looks like a memory leak.I suspect (if you look at the munin monthly month graph) we had no issue until I think we patched..I need to ask my admins if they did patch ...(they are

Re: [Freeipa-users] Different automount for different locations

2012-05-14 Thread Jakub Hrozek
On Mon, May 14, 2012 at 09:01:34AM +0200, Jan-Frode Myklebust wrote: We have two datacenters, site-A and site-B, and would like to server the users' home directories from a local NFS-server at each location to avoid cross site mounts. Is this something the automount maps in IPA can help us

Re: [Freeipa-users] Different automount for different locations

2012-05-14 Thread Jakub Hrozek
On Mon, May 14, 2012 at 02:09:25PM +0200, Jan-Frode Myklebust wrote: On Mon, May 14, 2012 at 10:10:47AM +0200, Jakub Hrozek wrote: IPA has a concept of automount locations. Do these locations have anything to do with the Locality/Location strings in the HOST SETTINGS, so that we don't

Re: [Freeipa-users] HBAC rules take in effect on IPA clients immediately after installation?

2012-05-19 Thread Jakub Hrozek
On Fri, May 18, 2012 at 02:27:15PM -0700, Gelen James wrote: Hi all, Just like to clarify my confusion: Are the HBAC (Host Based Access Control) rules immediately in effect after IPA client software configurations through sssd? Do we have any options inside sssd.conf to

Re: [Freeipa-users] sudo rules in IPA infrastructure

2012-05-19 Thread Jakub Hrozek
On Fri, May 18, 2012 at 02:35:18PM -0700, Gelen James wrote: Hi all, Are the sudo rules applied to IPA clients through nss_ldap, instead of sssd? Neither :-) sudo looks up the user information via the standard name-service-switch maps, so if your machine is configured to fetch user

Re: [Freeipa-users] sudo rules in IPA infrastructure

2012-05-21 Thread Jakub Hrozek
On Sat, May 19, 2012 at 03:11:44PM -0700, David Copperfield wrote: Hi Jakub and Rich, Got it. Thanks a lot on the HBAC and sudoes maps access. I think I got confused with the graph in the powerpoint presentation 

Re: [Freeipa-users] ipa client - turn off NetworkManager?

2012-06-09 Thread Jakub Hrozek
On Sat, Jun 09, 2012 at 03:24:44AM -0700, Joe Linoff wrote: Hi: I read somewhere that I should turn off the NetworkManager service on the IPA server. Should I do same on the clients? It doesn't really matter for the SSSD, we don't use NM for anything but we don't mind it running either.

Re: [Freeipa-users] User can't login via ssh from external

2012-07-23 Thread Jakub Hrozek
On Mon, Jul 23, 2012 at 06:22:55PM -0400, Rob Crittenden wrote: Joe Linoff wrote: Hi Steve: Thank you for your suggestions. In the gui you can do a hbac test of the rule. I ran the hbactest rule testing from the command line using “ipa hbactest …”. It showed that the rules were

Re: [Freeipa-users] User can't login via ssh from external

2012-07-26 Thread Jakub Hrozek
On Wed, Jul 25, 2012 at 02:38:36PM -0700, Joe Linoff wrote: As Rob says, I think we should take a look at SSSD and system logs. Can you paste or attach the couple of lines that are appended to /var/log/secure during the login attempt? That should give us a clue on whether the SSSD

Re: [Freeipa-users] User can't login via ssh from external

2012-07-26 Thread Jakub Hrozek
On Thu, Jul 26, 2012 at 01:39:12AM +, Steven Jones wrote: I am now getting this Steven, are you saying you can't login even though hbactest passes for your user? Can you then append or paste the last couple of lines of /var/log/secure and the relevat part of the SSSD domain log?

Re: [Freeipa-users] User can't login via ssh from external

2012-07-26 Thread Jakub Hrozek
On Thu, Jul 26, 2012 at 09:12:35PM +, Steven Jones wrote: Yes, So, I reset the password and that failed, so I added the user to my desktop group logged in to my desktop with ssh localhost and set the password, then I could log into the client fine. Other users had no problem logging

Re: [Freeipa-users] cannot find name for user ID

2012-08-08 Thread Jakub Hrozek
On Wed, Aug 08, 2012 at 10:45:47AM -0800, Erinn Looney-Triggs wrote: An interesting problem has popped up and I am not sure where the issue lies. Users logging in are presented with cannot find name for user ID etc. etc. for all groups they are a member of id returns nothing but the numbers,

Re: [Freeipa-users] cannot find name for user ID

2012-08-09 Thread Jakub Hrozek
On Thu, Aug 09, 2012 at 12:52:47AM -0800, Erinn Looney-Triggs wrote: On 08/08/2012 01:11 PM, Jakub Hrozek wrote: On Wed, Aug 08, 2012 at 10:45:47AM -0800, Erinn Looney-Triggs wrote: An interesting problem has popped up and I am not sure where the issue lies. Users logging in are presented

Re: [Freeipa-users] need FC17 autofs + FreeIPA pointers

2012-08-12 Thread Jakub Hrozek
On Fri, Aug 10, 2012 at 05:22:11PM -0600, bin.e...@gmail.com wrote: Hi Dmitri, That is the doc I don't understand. I mean, if I follow those directions, it should just work? But where do the automaps come from once I switch over to LDAP? How to I administrate the mappings for things

Re: [Freeipa-users] Intermittent delay in authentication

2012-08-15 Thread Jakub Hrozek
On Tue, Aug 14, 2012 at 03:28:52PM -0500, KodaK wrote: I apologize in advance for not having very much information to go on. We have exactly 100 hosts in IPA right now. On occasion, maybe once or twice a day, all authentication just pauses for some amount of time. It can range from just a

Re: [Freeipa-users] Intermittent delay in authentication

2012-08-16 Thread Jakub Hrozek
On Wed, Aug 15, 2012 at 09:03:37PM +, Steven Jones wrote: Is there a bugtraq? https://fedorahosted.org/sssd/ticket/1447 https://bugzilla.redhat.com/show_bug.cgi?id=845253 regards Steven Jones Technical Specialist - Linux RHCE Victoria University, Wellington, NZ 0064 4 463

Re: [Freeipa-users] sssd client cache timer and merging IPA domains

2012-08-17 Thread Jakub Hrozek
On Thu, Aug 16, 2012 at 09:00:23PM +, Steven Jones wrote: Hi, What is the default length of time the sssd daemon on a client caches for once IPA is off line pls? If the IPA provider is offline, we never remove anything from the cache, so indefinitely. If the provider is online, we

Re: [Freeipa-users] Specifying load balancing to SSSD clients

2012-08-20 Thread Jakub Hrozek
On Mon, Aug 20, 2012 at 02:48:30PM +0100, Innes, Duncan wrote: Folks, Hopefully this isn't a dumb question, but I'm constrained by a few things on my estate and would be looking to deploy something like the following: 2 Datacentres 2 IPA servers at each datacentre ipa1.domain.com \_

Re: [Freeipa-users] SELinux user mapping

2012-08-29 Thread Jakub Hrozek
On Tue, Aug 28, 2012 at 01:54:12PM -0800, Erinn Looney-Triggs wrote: I am hoping I haven't missed something here, but it appears that the SELinux user mapping portion is not working for me. This is tested on a RHEL 6.3 client and server. The rule I have: Rule name: Developers staff_U

Re: [Freeipa-users] cannot logon: system error?

2012-09-04 Thread Jakub Hrozek
On Tue, Sep 04, 2012 at 11:02:36AM -0700, george he wrote: Hi all, This is another issue I'm having with another ipa client. Both the sever and the client are centos 6.3 The client was configured all right. I was able to log on at a point. but then after the screen was auto-locked over the

Re: [Freeipa-users] errors when one ipa server down

2012-09-10 Thread Jakub Hrozek
On Mon, Sep 10, 2012 at 09:08:07AM -0400, Rob Crittenden wrote: Dmitri Pal wrote: On 09/07/2012 04:50 PM, Rob Crittenden wrote: Michael Mercier wrote: On 2012-09-07, at 2:47 PM, Dmitri Pal wrote: On 09/07/2012 12:42 PM, Michael Mercier wrote: On 2012-09-07, at 12:14 PM, Dmitri Pal wrote:

Re: [Freeipa-users] Password requirements too stringent

2012-09-18 Thread Jakub Hrozek
On Tue, Sep 18, 2012 at 02:57:49AM +, JR Aquino wrote: On Sep 17, 2012, at 7:53 PM, Tim Hildred wrote: JR I had that line. I commented it out. Thank you. Now, what do I have to restart? I believe it should take effect in real time, but you may need to test to be sure. If

Re: [Freeipa-users] errors when one ipa server down

2012-09-18 Thread Jakub Hrozek
On Mon, Sep 17, 2012 at 11:17:47AM -0400, Dmitri Pal wrote: [root@ipaserver2 ~]ifdown eth0 # NOTE: ipaserver2 is 172.16.112.8 [root@ipaclient ~]# SSSD_KRB5_LOCATOR_DEBUG=1 kinit mike [sssd_krb5_locator] sssd_krb5_locator_init called [sssd_krb5_locator] Found [172.16.112.8] in

Re: [Freeipa-users] errors when one ipa server down

2012-09-18 Thread Jakub Hrozek
On Tue, Sep 18, 2012 at 02:38:13PM -0400, Michael Mercier wrote: On 2012-09-18, at 4:03 AM, Jakub Hrozek wrote: On Mon, Sep 17, 2012 at 11:17:47AM -0400, Dmitri Pal wrote: [root@ipaserver2 ~]ifdown eth0 # NOTE: ipaserver2 is 172.16.112.8 [root@ipaclient ~]# SSSD_KRB5_LOCATOR_DEBUG

Re: [Freeipa-users] Password requirements too stringent

2012-09-19 Thread Jakub Hrozek
On Tue, Sep 18, 2012 at 09:43:48PM -0400, Tim Hildred wrote: So, commenting out: passwordrequisite pam_cracklib.so try_first_pass retry=3 type= dcredit=-1 ucredit=-1 ocredit=-1 lcredit=0 minlen=8 Caused users updating their passwords using ssh to get: [ykatabam@ykatabam ~]$ ssh

Re: [Freeipa-users] errors when one ipa server down

2012-09-24 Thread Jakub Hrozek
On Wed, Sep 19, 2012 at 12:27:25PM -0400, Dmitri Pal wrote: On 09/19/2012 12:11 PM, Jakub Hrozek wrote: On Wed, Sep 19, 2012 at 12:00:08PM -0400, Michael Mercier wrote: On 2012-09-18, at 4:03 PM, Jakub Hrozek wrote: On Tue, Sep 18, 2012 at 02:38:13PM -0400, Michael Mercier wrote

Re: [Freeipa-users] Password failing for sudo-ldap authentication only from one host

2012-09-27 Thread Jakub Hrozek
On Thu, Sep 27, 2012 at 08:18:21AM +0200, David Sastre wrote: On Wed, Sep 26, 2012 at 11:08 PM, David Sastre Medina d.sastre.med...@gmail.com wrote: On Wed, Sep 26, 2012 at 03:06:40PM -0400, Rob Crittenden wrote: David Sastre wrote: [big snip] Does sssd work on this machine

Re: [Freeipa-users] FreeIPA 3 rc1 sslget error

2012-09-27 Thread Jakub Hrozek
On Thu, Sep 27, 2012 at 09:56:02AM +0200, Pieter Baele wrote: Hi, Two problems with FreeIPA 3 on an updated fedora 17 (updates-testing enabled) 1) dependency error for libsss_sudo Error: Package: sudo-1.8.3p1-7.fc17.x86_64 (@updates) Requires:

Re: [Freeipa-users] Password failing for sudo-ldap authentication only from one host

2012-10-02 Thread Jakub Hrozek
On Tue, Oct 02, 2012 at 10:39:29AM +0200, David Sastre wrote: sudo works correctly again, thanks to the people in this list who spend time looking into this and pointed me in the right direction. I'm sorry I missed your previous reply, David. Glad sudo works for you now!

Re: [Freeipa-users] sudo questions

2012-10-09 Thread Jakub Hrozek
On Tue, Oct 09, 2012 at 12:04:24AM +0200, Sigbjorn Lie wrote: Hi, Hi Siggi, 3. sudo integration with SSSD does not work when anonymous LDAP authentication is disabled at the server. Enabling verbose logging in SSSD seem to suggest that it's attempting anonymous auth only.

Re: [Freeipa-users] free-ipa 2.2 - login fails on some hosts but not others

2012-10-11 Thread Jakub Hrozek
On Thu, Oct 11, 2012 at 02:44:04AM -0700, Joe Linoff wrote: I am not sure how to debug this. I would start with attaching the relevant contents of /var/log/secure. Do they differ on the host that succeeds vs the one that fails? ___ Freeipa-users

Re: [Freeipa-users] sssd/pam login issues after upgrade to 2.2.1 on Fedora 17

2012-11-12 Thread Jakub Hrozek
On Sun, Nov 11, 2012 at 04:37:46PM -0600, Anthony Messina wrote: After upgrading to freeipa-{client,server}-2.2.1-1.fc17.x86_64 today, my clients are no longer able to login via kdm or ssh (and perhaps others). The secure log shows the following: sshd[28922]: pam_sss(sshd:account): Access

Re: [Freeipa-users] FreeIPA manual PAM setup help

2012-11-29 Thread Jakub Hrozek
On Thu, Nov 29, 2012 at 10:26:00AM -0500, Rob Crittenden wrote: 小龙 陈 wrote: Hi, I've been working on porting the FreeIPA client to Arch Linux lately and I'm now to the last step of the puzzle. Everything works the way it should, except for PAM, which I don't know how to setup. I must

Re: [Freeipa-users] FreeIPA manual PAM setup help

2012-11-29 Thread Jakub Hrozek
On Thu, Nov 29, 2012 at 01:56:24PM -0500, 小龙 陈 wrote: I didn't know that ipa-server is now working in Ubuntu. That's really great news! Best regards, Xiao-Long Chen I could be wrong, but I don't think the IPA server is working in Ubuntu..I know the

Re: [Freeipa-users] sssd cache

2012-12-05 Thread Jakub Hrozek
On Wed, Dec 05, 2012 at 02:20:40PM +0100, Natxo Asenjo wrote: hi, why would I want sssd to cache group/hostgroup/netgroup membership? Is the performance hit so huge on the ldap servers? I ask this because Windows admins are used to apply membership of groups to objects and the changes

Re: [Freeipa-users] sssd cache

2012-12-05 Thread Jakub Hrozek
On Wed, Dec 05, 2012 at 03:19:51PM +0100, Natxo Asenjo wrote: On Wed, Dec 5, 2012 at 3:11 PM, Jakub Hrozek jhro...@redhat.com wrote: On Wed, Dec 05, 2012 at 02:20:40PM +0100, Natxo Asenjo wrote: hi, why would I want sssd to cache group/hostgroup/netgroup membership? Is the performance

Re: [Freeipa-users] select users cannot sudo or login at the console

2012-12-07 Thread Jakub Hrozek
On Fri, Dec 07, 2012 at 09:33:22AM -0500, Rob Crittenden wrote: Albert Adams wrote: Rob, There are no HBAC rules defined other than the default allow_all rule which has not been customized. It is a vanilla instal at this point. I have not added anything other than the replica, a few

Re: [Freeipa-users] Managing Sudo through FreeIPA

2012-12-11 Thread Jakub Hrozek
On Tue, Dec 11, 2012 at 11:25:57AM -0500, Dmitri Pal wrote: The native integration in SSSD was a tech preview in 6.3 and was pretty much broken. It wasn't a TP in 6.3 because the sudo 1.8 package wasn't in 6.3 all. It was rewritten after F-17, because its cache update mechanism was extremely

Re: [Freeipa-users] anyone know how to do sssd filters?

2012-12-18 Thread Jakub Hrozek
On Mon, Dec 17, 2012 at 04:03:03PM -0500, Dmitri Pal wrote: On 12/17/2012 03:11 PM, KodaK wrote: I'm attempting to install Satellite in my IPA domain. There is a ridiculous requirement that the group dba must not already exist prior to installing. Red Hat support wanted me to *remove* the

Re: [Freeipa-users] anyone know how to do sssd filters?

2012-12-18 Thread Jakub Hrozek
On Tue, Dec 18, 2012 at 10:39:56AM +0100, Jakub Hrozek wrote: On Mon, Dec 17, 2012 at 04:03:03PM -0500, Dmitri Pal wrote: On 12/17/2012 03:11 PM, KodaK wrote: I'm attempting to install Satellite in my IPA domain. There is a ridiculous requirement that the group dba must not already exist

Re: [Freeipa-users] anyone know how to do sssd filters?

2012-12-18 Thread Jakub Hrozek
On Tue, Dec 18, 2012 at 09:07:25AM -0600, KodaK wrote: On Tue, Dec 18, 2012 at 3:51 AM, Jakub Hrozek jhro...@redhat.com wrote: On Tue, Dec 18, 2012 at 10:39:56AM +0100, Jakub Hrozek wrote: On Mon, Dec 17, 2012 at 04:03:03PM -0500, Dmitri Pal wrote: On 12/17/2012 03:11 PM, KodaK wrote

Re: [Freeipa-users] sudo made a bit easier to configure

2012-12-21 Thread Jakub Hrozek
On Fri, Dec 21, 2012 at 06:42:40PM +0100, Natxo Asenjo wrote: On Thu, Dec 20, 2012 at 4:43 PM, Han Boetes hboe...@gmail.com wrote: Hi, I discovered that using this recipe makes setting up sudo-ldap very simple. Even when anonymous binds is disabled. Thanks! I have not yet used sudo

Re: [Freeipa-users] problems with netgroups cached values

2013-01-07 Thread Jakub Hrozek
On Mon, Jan 07, 2013 at 12:18:12PM +0100, Natxo Asenjo wrote: hi, in sssd.conf I have this regarding netgroup caching info: entry_cache_netgroup_timeout = 300 After the file was modified, the sssd daemon was reloaded. However, the values are still being cached for 90 minutes (default

Re: [Freeipa-users] problems with netgroups cached values

2013-01-07 Thread Jakub Hrozek
On Mon, Jan 07, 2013 at 01:17:21PM +0100, Natxo Asenjo wrote: On Mon, Jan 7, 2013 at 1:07 PM, Jakub Hrozek jhro...@redhat.com wrote: On Mon, Jan 07, 2013 at 12:18:12PM +0100, Natxo Asenjo wrote: hi, in sssd.conf I have this regarding netgroup caching info: entry_cache_netgroup_timeout

Re: [Freeipa-users] problems with netgroups cached values

2013-01-07 Thread Jakub Hrozek
On Mon, Jan 07, 2013 at 03:55:49PM +0100, Natxo Asenjo wrote: hi, On Mon, Jan 7, 2013 at 3:20 PM, Jakub Hrozek jhro...@redhat.com wrote: On Mon, Jan 07, 2013 at 01:17:21PM +0100, Natxo Asenjo wrote: On Mon, Jan 7, 2013 at 1:07 PM, Jakub Hrozek jhro...@redhat.com wrote: On Mon, Jan 07

Re: [Freeipa-users] Aiisues to wathc out fro / anticipate when upgrading RHEL6.3 and IPA 2 to 6.4 and IPA 3

2013-01-08 Thread Jakub Hrozek
On Tue, Jan 08, 2013 at 11:49:11AM -0900, Erinn Looney-Triggs wrote: On 01/08/13 11:44, Rob Crittenden wrote: Simo Sorce wrote: On Tue, 2013-01-08 at 19:31 +, Steven Jones wrote: HI, I assume RHEL 6.4 is GA shortly just how straigh forward is the upgrade from one IPA version to

Re: [Freeipa-users] Error: Fedora 18 client to IPA Server 2.2.0?

2013-01-22 Thread Jakub Hrozek
On Tue, Jan 22, 2013 at 11:02:39AM -0500, Rob Crittenden wrote: free...@noboost.org wrote: Hi, Has anyone had success with installing the IPA client on Fedora 18 (with SeLinux disabled)? Server: Red Hat Enterprise Linux Server release 6.3 (Santiago) * ipa-server-2.2.0-16.el6.x86_64

[Freeipa-users] A security bug in SSSD 1.8 and 1.9 (CVE-2013-0220)

2013-01-23 Thread Jakub Hrozek
= A security bug in SSSD 1.8 and 1.9 === = = Subject: out-of-bounds reads in autofs and ssh responder = = CVE ID#: CVE-2013-0220 = = Summary: Multiple out-of-bounds buffer read flaws were found in = the way the autofs and ssh

Re: [Freeipa-users] Unable to start replica server after setting up replication

2013-01-30 Thread Jakub Hrozek
On Wed, Jan 30, 2013 at 12:02:30PM -0500, free...@stormcloud9.net wrote: On 2013/30/01 11:59, Dmitri Pal wrote: On 01/30/2013 11:43 AM, free...@stormcloud9.net wrote: On 2013/30/01 09:37, Martin Kosek wrote: On 01/30/2013 03:22 PM, free...@stormcloud9.net wrote: On 2013/30/01 09:19,

Re: [Freeipa-users] missing member in group

2013-02-18 Thread Jakub Hrozek
On Mon, Feb 18, 2013 at 12:16:33AM -0500, Dmitri Pal wrote: On 02/17/2013 03:55 PM, Jan-Frode Myklebust wrote: On Sun, Feb 17, 2013 at 09:48:10PM +0100, Jan-Frode Myklebust wrote: (Sun Feb 17 21:40:07 2013) [sssd[be[IPALDAP]]] [sdap_fill_memberships] (7): member #2

Re: [Freeipa-users] [Feature request] Adding support for sudo to ipa-client-install

2013-02-21 Thread Jakub Hrozek
On Thu, Feb 21, 2013 at 03:07:10PM +0100, Han Boetes wrote: This is what you have to do to enable sudo support while using freeipa: I got it all from sssd-sudo(5). # yum install libsss_sudo Add this line to /etc/nsswitch.conf sudoers: files sss Edit /etc/sssd/sssd.conf and make

Re: [Freeipa-users] RHEL 6.4 ipa-client install on ipa member server

2013-02-25 Thread Jakub Hrozek
On Sat, Feb 23, 2013 at 10:40:03PM +, Dale Macartney wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/23/2013 10:36 PM, Rob Crittenden wrote: Dale Macartney wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Even folks I've verified this both in a kickstart

Re: [Freeipa-users] RHEL 6.4 ipa-client install on ipa member server

2013-02-25 Thread Jakub Hrozek
On Mon, Feb 25, 2013 at 10:30:44AM +, Dale Macartney wrote: What state is your SELinux in? Permissive/Enforcing/Disabled ? Another fail on my part. Works fine in permissive mode. No, the SSSD should be working out of the box with SELinux Enforcing. AVC denials listed below..

Re: [Freeipa-users] RHEL 6.4 ipa-client install on ipa member server

2013-02-25 Thread Jakub Hrozek
On Mon, Feb 25, 2013 at 11:06:09AM +, Dale Macartney wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 02/25/2013 10:58 AM, Jakub Hrozek wrote: On Mon, Feb 25, 2013 at 10:30:44AM +, Dale Macartney wrote: What state is your SELinux in? Permissive/Enforcing/Disabled

Re: [Freeipa-users] proper way to clear sssd cache without sss_cache?

2013-02-26 Thread Jakub Hrozek
On Tue, Feb 26, 2013 at 02:36:42PM -0500, Dmitri Pal wrote: On 02/26/2013 02:29 PM, KodaK wrote: I know that at some point the sssd package (or maybe the tools package) started including sss_cache for managing the sssd cache. I have some RHEL5 boxes that don't have this utility. I've

Re: [Freeipa-users] meaning of several domains in sssd.conf

2013-02-27 Thread Jakub Hrozek
On Wed, Feb 27, 2013 at 08:19:27AM +0100, Jan-Frode Myklebust wrote: What does it mean to have several domains listed in sssd.conf ? Will they all be queried on each login, or will only the first domain be queried if the user/groups is found there? If the user is found in the first domain,

Re: [Freeipa-users] meaning of several domains in sssd.conf

2013-02-27 Thread Jakub Hrozek
On Wed, Feb 27, 2013 at 09:47:39AM +0100, Jan-Frode Myklebust wrote: On Wed, Feb 27, 2013 at 09:31:43AM +0100, Jakub Hrozek wrote: Are there any issues you are seeing with IPA's sssd_be? It would definitely be better to fix those first rather than attempting a workaround like

Re: [Freeipa-users] Slow ipa performance -- why so many ldap lookups ?

2013-03-19 Thread Jakub Hrozek
On Tue, Mar 19, 2013 at 09:41:23PM +0100, Jan-Frode Myklebust wrote: Hello Jan, I'm sorry you're seeing performance problems. We're struggeling with the performance of IPA, and have tried switching to the ldap backend for sssd to be able to see what's happening. The attached trace is from a

Re: [Freeipa-users] Slow ipa performance -- why so many ldap lookups ?

2013-03-20 Thread Jakub Hrozek
On Tue, Mar 19, 2013 at 11:05:14PM +0100, Jan-Frode Myklebust wrote: On Tue, Mar 19, 2013 at 10:01:16PM +0100, Jakub Hrozek wrote: Hello Jan, I'm sorry you're seeing performance problems. We have been struggeling with performance and crashes for a while now. Have had one crash were

Re: [Freeipa-users] Slow ipa performance -- why so many ldap lookups ?

2013-03-20 Thread Jakub Hrozek
On Wed, Mar 20, 2013 at 02:04:24PM +0100, Jan-Frode Myklebust wrote: On Wed, Mar 20, 2013 at 10:44:10AM +0100, Jakub Hrozek wrote: This really sounds like a bug. If you encounter a situation like this, where a group does not show all its members, feel free to open a bug. I have been

Re: [Freeipa-users] Slow ipa performance -- why so many ldap lookups ?

2013-03-21 Thread Jakub Hrozek
On Thu, Mar 21, 2013 at 11:43:55AM +0100, Jan-Frode Myklebust wrote: On Wed, Mar 20, 2013 at 02:29:07PM +0100, Jakub Hrozek wrote: I think pasting or attaching SSSD logs would be a good start. Can you put debug_level = 6 into your sssd.conf into the [pam] and [domain] sections restart

Re: [Freeipa-users] libsssd_sudo as dependency to ipa-client

2013-03-22 Thread Jakub Hrozek
On Thu, Mar 21, 2013 at 06:58:00PM +0100, Jakub Hrozek wrote: On Thu, Mar 21, 2013 at 11:39:27PM +0600, Arthur Fayzullin wrote: HI! I have configured sssd_sudo integration on EL6.4 and it works nice! But then I've checked this: [afaizullin@domen00 ~]$ sudo package-cleanup --leaves [sudo

Re: [Freeipa-users] Slow ipa performance -- why so many ldap lookups ?

2013-03-22 Thread Jakub Hrozek
On Thu, Mar 21, 2013 at 09:57:50PM +0100, Jan-Frode Myklebust wrote: On Thu, Mar 21, 2013 at 03:29:38PM +0100, Jakub Hrozek wrote: I see several failures related to the SELinux processing: --- (Thu Mar 21 08:23:57 2013) [sssd[be[example.net]]] [ipa_selinux_get_maps_done

Re: [Freeipa-users] Change default shell from /bin/sh to /bin/bash from AD users

2013-03-28 Thread Jakub Hrozek
On Thu, Mar 28, 2013 at 09:56:32AM +0200, pekka.pan...@sofor.fi wrote: Hi all I have changed default shell to /bin/bash, but it seems when i logon to Linux server with my AD username it executes /bin/sh anyway. When i login with IPA account, it executes /bin/bash. So my question is how

Re: [Freeipa-users] Installed ipa-client for CentOS 5.9 and joined it to IPA-domain, but hows AD trusts are handled?

2013-03-28 Thread Jakub Hrozek
On Thu, Mar 28, 2013 at 01:14:34PM +0200, pekka.pan...@sofor.fi wrote: Hi all again I have lots of CentOS 5.x servers and i tested one to install ipa-client and managed to join it to my ipa domain. I want also my AD users (from IPA trust) to login inside thru ssh but afaik this seems

Re: [Freeipa-users] Change default shell from /bin/sh to /bin/bash from AD users

2013-04-02 Thread Jakub Hrozek
On Tue, Apr 02, 2013 at 08:43:18AM +0300, pekka.pan...@sofor.fi wrote: Rob Crittenden rcrit...@redhat.com wrote on 29.03.2013 01:09:49: Anyhow, you can override the shell on the client using the override_shell directive of sssd.conf. Simply put it into the domain section and

Re: [Freeipa-users] Installed ipa-client for CentOS 5.9 and joined it to IPA-domain, but hows AD trusts are handled?

2013-04-04 Thread Jakub Hrozek
On Wed, Apr 03, 2013 at 06:25:54PM -0400, Dmitri Pal wrote: On 04/02/2013 01:57 AM, pekka.pan...@sofor.fi wrote: From: Dmitri Pal d...@redhat.com I want also my AD users (from IPA trust) to login inside thru ssh but afaik this seems to have some older SSSD version and same

  1   2   3   4   5   6   7   8   9   >