Re: [Freeipa-users] .k5login and auth_to_local_names principal -> account mapping and localauth plugin not working on 6.7

2015-12-13 Thread Sumit Bose
On Sat, Dec 12, 2015 at 01:34:53PM +0100, Stefano Cortese wrote: > > > This is expected because if either the principal or the user name is > known to SSSD the localauth plugin will take control because by default > the added modules are registered first (see [plugins] section of man >

Re: [Freeipa-users] .k5login and auth_to_local_names principal -> account mapping and localauth plugin not working on 6.7

2015-12-08 Thread Stefano Cortese
Jakub Hrozek wrote: On Mon, Dec 07, 2015 at 06:04:30PM +0100, Stefano Cortese wrote: So the questions are: - is there another cleaner way to exclude the localauth sssd plugin (considering that the configuration snippet is recreated at every sssd restart)?

Re: [Freeipa-users] .k5login and auth_to_local_names principal -> account mapping and localauth plugin not working on 6.7

2015-12-08 Thread Stefano Cortese
Sumit Bose wrote: On Mon, Dec 07, 2015 at 06:04:30PM +0100, Stefano Cortese wrote: So the questions are: - is there another cleaner way to exclude the localauth sssd plugin (considering that the configuration snippet is recreated at every sssd restart)?

Re: [Freeipa-users] .k5login and auth_to_local_names principal -> account mapping and localauth plugin not working on 6.7

2015-12-08 Thread Stefano Cortese
Sumit Bose wrote: On Mon, Dec 07, 2015 at 06:04:30PM +0100, Stefano Cortese wrote: So the questions are: - is there another cleaner way to exclude the localauth sssd plugin (considering that the configuration snippet is recreated at every sssd restart)?

Re: [Freeipa-users] .k5login and auth_to_local_names principal -> account mapping and localauth plugin not working on 6.7

2015-12-08 Thread Sumit Bose
On Tue, Dec 08, 2015 at 02:33:40PM +0100, Stefano Cortese wrote: > Hi Sumit > yes it works commenting out the line 'enable_only = sssd' and making > the file immutable , namely the .k5login file is read and enforced. > But respect to the solution emptying completely the snippet, it is lost > the

Re: [Freeipa-users] .k5login and auth_to_local_names principal -> account mapping and localauth plugin not working on 6.7

2015-12-08 Thread Stefano Cortese
Simo Sorce wrote: I am attempting to log from a local machine as "userA" using the credentials of a "service principal" defined in IPA to a remote machine as "userB" The userB principal is resolvable on the remote host via "getent passwd userB" because it is a user principal.

Re: [Freeipa-users] .k5login and auth_to_local_names principal -> account mapping and localauth plugin not working on 6.7

2015-12-08 Thread Jakub Hrozek
On Tue, Dec 08, 2015 at 02:30:54PM +0100, Stefano Cortese wrote: >Jakub Hrozek wrote: > > On Mon, Dec 07, 2015 at 06:04:30PM +0100, Stefano Cortese wrote: > > > So the questions are: > - is there another cleaner way to exclude the localauth sssd plugin > (considering that the

Re: [Freeipa-users] .k5login and auth_to_local_names principal -> account mapping and localauth plugin not working on 6.7

2015-12-07 Thread Stefano Cortese
> So the questions are: > - is there another cleaner way to exclude the localauth sssd plugin > (considering that the configuration snippet is recreated at every sssd > restart)? Can you test if this hack would help: # service sssd stop # rm

Re: [Freeipa-users] .k5login and auth_to_local_names principal -> account mapping and localauth plugin not working on 6.7

2015-12-07 Thread Sumit Bose
On Mon, Dec 07, 2015 at 06:04:30PM +0100, Stefano Cortese wrote: > >> So the questions are: > >> - is there another cleaner way to exclude the localauth sssd plugin > >> (considering that the configuration snippet is recreated at every sssd > >> restart)? > > > >Can you test if this hack would

Re: [Freeipa-users] .k5login and auth_to_local_names principal -> account mapping and localauth plugin not working on 6.7

2015-12-07 Thread Simo Sorce
On Mon, 2015-12-07 at 18:04 +0100, Stefano Cortese wrote: > > > So the questions are: > > > - is there another cleaner way to exclude the localauth sssd plugin > > > (considering that the configuration snippet is recreated at every sssd > > > restart)? > > > > Can you test if this hack would help:

Re: [Freeipa-users] .k5login and auth_to_local_names principal -> account mapping and localauth plugin not working on 6.7

2015-12-07 Thread Jakub Hrozek
On Mon, Dec 07, 2015 at 06:04:30PM +0100, Stefano Cortese wrote: > >> So the questions are: > >> - is there another cleaner way to exclude the localauth sssd plugin > >> (considering that the configuration snippet is recreated at every sssd > >> restart)? > > > >Can you test if this hack would

Re: [Freeipa-users] .k5login and auth_to_local_names principal -> account mapping and localauth plugin not working on 6.7

2015-12-07 Thread Jakub Hrozek
On Sat, Dec 05, 2015 at 06:44:45PM +0100, Stefano Cortese wrote: > Hello, > we have a number of ipa 3.0 clients that have been upgraded from Scientific > Linux 6.6 to 6.7 and after the upgrade both the .k5login authorization and > auth_to_local_names mappings don't work anymore as before. > The

[Freeipa-users] .k5login and auth_to_local_names principal -> account mapping and localauth plugin not working on 6.7

2015-12-05 Thread Stefano Cortese
Hello, we have a number of ipa 3.0 clients that have been upgraded from Scientific Linux 6.6 to 6.7 and after the upgrade both the .k5login authorization and auth_to_local_names mappings don't work anymore as before. The environment is linux only with no AD/Samba Essentially we are using