On Mon, Jul 18, 2016 at 01:36:30PM +, Sullivan, Daniel [AAA] wrote:
> > Are also users that are not part of this group misbehaving?
>
> Not that I am aware of. I’ll get you a real answer though. Are there any
> known workarounds to the @ problem used to transform group names (i.e. a more
> Are also users that are not part of this group misbehaving?
Not that I am aware of. I’ll get you a real answer though. Are there any
known workarounds to the @ problem used to transform group names (i.e. a more
robust ‘override_space’ option)? I looked a the doc briefly but can’t find
On Mon, Jul 18, 2016 at 11:56:24AM +, Sullivan, Daniel [AAA] wrote:
> Hi, Jakub,
>
> In line with your performance tuning document referenced prior in this
> thread, I’ve actually already implemented the three configuration changes
> you specified (prior to identifying this issue). Right now
Hi, Jakub,
In line with your performance tuning document referenced prior in this thread,
I’ve actually already implemented the three configuration changes you specified
(prior to identifying this issue). Right now I am focusing on the use case
documented below, because as of right now I am
On Fri, Jul 15, 2016 at 04:35:54PM +, Sullivan, Daniel [AAA] wrote:
>
> Jakub,
>
> Thank you for replying to me. Before I forget I will say that I am still on
> sssd 1.13 on the domain controller; I didn’t upgrade it because I haven’t had
> any problems logging into that system yet. That
Jakub,
Thank you for replying to me. Before I forget I will say that I am still on
sssd 1.13 on the domain controller; I didn’t upgrade it because I haven’t had
any problems logging into that system yet. That being said:
Thank you, but did this command return "No such user” ?
Yes.
On Fri, Jul 15, 2016 at 01:22:07PM +, Sullivan, Daniel [AAA] wrote:
> Jakub,
>
> Sure, no problem, I am happy to provide the output that you are requesting.
> Thank you for taking the time to help me.
>
> To answer your question, no record is returned (not missing groups). For
> example,
On Fri, Jul 15, 2016 at 02:04:43PM +, Sullivan, Daniel [AAA] wrote:
> Hi,
>
> Changing pam_id_timeout = 60 and krb5_auth_timeout = 60 on the client in
> conjunction with enabling tmpfs caching for /var/lib/sss/db on the DC appears
> to have helped significantly.
pam_id_timeout and
Hi,
Changing pam_id_timeout = 60 and krb5_auth_timeout = 60 on the client in
conjunction with enabling tmpfs caching for /var/lib/sss/db on the DC appears
to have helped significantly. This issue is becoming much more difficult to
reproduce, although I can still reproduce it. Now, it appears
Jakub,
Sure, no problem, I am happy to provide the output that you are requesting.
Thank you for taking the time to help me.
To answer your question, no record is returned (not missing groups). For
example, the output of the failure was:
[root@cri-kcriwebgdp1 log]# id mjarsulic
id:
On Fri, Jul 15, 2016 at 12:00:56PM +, Sullivan, Daniel [AAA] wrote:
> Lukas,
>
> Thank you for your reply and inquiry.
>
> First, to answer your question; yes, we have been using the
> default_domain_suffix for some time. I am not sure what you mean by
> previously, but it is currently
Lukas,
Also, I would be interested to have high-level knowledge of known regressions
you describe so that we can more quickly identify that we are being impacted by
a known issue as we move forward with testing and evaluation of our IPA
implementation, particularly if they are missing from the
Lukas,
Thank you for your reply and inquiry.
First, to answer your question; yes, we have been using the
default_domain_suffix for some time. I am not sure what you mean by
previously, but it is currently implemented and has been implemented prior to
our 1.13 -> 1.14 upgrade.
And yes, I am
On (14/07/16 21:23), Sullivan, Daniel [AAA] wrote:
>Justin,
>
>Thank you for taking the time to reply to me; I really appreciate your
>willingness to help.
>
>Upgrading to sssd1.14 (from the copr repo) on the client seems to have fixed
>this problem across the board. I don’t have a system that
Hi,
I wanted to follow up on this thread in case others are experiencing this
problem. Installing SSSD 1.14 from the copr repository seems to have
completely eliminated the HBAC issue on all systems that were exhibiting the
problem as previously described.
Hello Daniel,
Just to clarify the issue:
user 'a.cri.dsulli...@bsdad.uchicago.edu' is a member of IDM POSIX group
'cri-cri_server_administrators_ipa' which is linked to the external
group used for the AD trust.
The following HBAC rule is not working to allow SSH access
Hi,
I have a brief follow up question regarding this issue;
I’m actually not bent on using HBAC; it is a nice feature and I’d like to use
it, but at the end of the day I’m not married to the idea of managing this type
of policy centrally; in theory, group or user based access control using
Jakub, Justin,
Thank you both very much for taking the time to continue helping me resolve
this issue. I apologize for not replying right away; I’ve been dealing with a
production issue for most of the morning.
An invocation of ‘id
Hi, Lachlan,
Yes, I see that from here
(https://www.redhat.com/archives/freeipa-users/2016-May/msg00322.html).
Unfortunately clearing the cache and restarting SSSD is not proving to help us.
I’d be interested to know any progress you make on this issue.
Thank you for responding to me.
Sumit,
Thank you for getting back to me I really appreciate you taking the time to
help me assess this problem (I am not authorized to view this bug). In order
to test I upgraded to ipa-server 4.2.0-15.el7_2.17 and flushed the cache on
both the client and the server; the problem still
On Wed, Jul 13, 2016 at 08:37:44AM +0200, Jakub Hrozek wrote:
> On Wed, Jul 13, 2016 at 09:10:07AM +0300, Alexander Bokovoy wrote:
> > On Tue, 12 Jul 2016, Sullivan, Daniel [AAA] wrote:
> > > Justin,
> > >
> > > I really appreciate you taking the time to respond to me. This problem
> > > is
On Wed, Jul 13, 2016 at 09:10:07AM +0300, Alexander Bokovoy wrote:
> On Tue, 12 Jul 2016, Sullivan, Daniel [AAA] wrote:
> > Justin,
> >
> > I really appreciate you taking the time to respond to me. This problem
> > is driving me crazy and I will certainly take any help I can get. My
> >
This is exactly the issue I'm seeing too, various differences, but the
symptoms are the same.
Main diff would be that sometimes stopping sssd, clearing cache and
restarting sssd works, but only if individual AD domain members are added
to the external group - not AD domain groups.
Cheers
L.
Hello,
I am assuming this is the AD trust user that is having the problem with
HBAC, in my testing I was only allowed access when the HBAC rule is
linked to the IDM POSIX AD trust group and not the external group used
to retrieve AD trust users. I noticed the following in the logs which is
24 matches
Mail list logo
