hi errbody, i may have an easy question, but i haven't found anything in
the documentation which describes my use-case exactly. i hope you can help.
my environment is kerberos for authentication and kerberos using
host-keytab for ldap binds. sssd is working fine for this setup. the
wrinkle is t
On 11/04/13 21:01, Stephen Gallagher wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 04/11/2013 03:33 PM, Rowland Penny wrote:
On 11/04/13 19:50, Dmitri Pal wrote:
On 04/11/2013 02:30 PM, Rowland Penny wrote:
On 11/04/13 18:49, Dmitri Pal wrote:
On 04/11/2013 10:00 AM, Rowland Penny
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 04/11/2013 03:33 PM, Rowland Penny wrote:
> On 11/04/13 19:50, Dmitri Pal wrote:
>> On 04/11/2013 02:30 PM, Rowland Penny wrote:
>>> On 11/04/13 18:49, Dmitri Pal wrote:
On 04/11/2013 10:00 AM, Rowland Penny wrote:
> On 08/04/13 11:39, Jaku
I may take a look to FreeIPA in the future, but it's not in my immediate
plans.
As you can see, my blog is low traffic and low content. I'm really not sure
if it will help to blog about the test days. But I'll make sure to take a
look at it and eventually add a note about'em.
Thanks again for the
On 11/04/13 19:50, Dmitri Pal wrote:
On 04/11/2013 02:30 PM, Rowland Penny wrote:
On 11/04/13 18:49, Dmitri Pal wrote:
On 04/11/2013 10:00 AM, Rowland Penny wrote:
On 08/04/13 11:39, Jakub Hrozek wrote:
On Fri, Apr 05, 2013 at 08:15:14PM +0100, Rowland Penny wrote:
On 05/04/13 19:46, Dmitri
On 04/11/2013 02:44 PM, Mathieu Lemoine wrote:
> Thanks Dimitri for the feedback.
>
> I made the modifications you asked for. Including a disclaimer
> regarding enumerate. I wasn't aware of this issue by the way. So thank
> you.
>
> From what I can made out of the logs I was given to read, I think
On 04/11/2013 02:30 PM, Rowland Penny wrote:
> On 11/04/13 18:49, Dmitri Pal wrote:
>> On 04/11/2013 10:00 AM, Rowland Penny wrote:
>>> On 08/04/13 11:39, Jakub Hrozek wrote:
On Fri, Apr 05, 2013 at 08:15:14PM +0100, Rowland Penny wrote:
> On 05/04/13 19:46, Dmitri Pal wrote:
>> On 04/
Thanks Dimitri for the feedback.
I made the modifications you asked for. Including a disclaimer regarding
enumerate. I wasn't aware of this issue by the way. So thank you.
>From what I can made out of the logs I was given to read, I think SSSD
actually fetch the ssh public key during the enumerat
On 11/04/13 18:49, Dmitri Pal wrote:
On 04/11/2013 10:00 AM, Rowland Penny wrote:
On 08/04/13 11:39, Jakub Hrozek wrote:
On Fri, Apr 05, 2013 at 08:15:14PM +0100, Rowland Penny wrote:
On 05/04/13 19:46, Dmitri Pal wrote:
On 04/05/2013 02:40 PM, Rowland Penny wrote:
On 05/04/13 19:00, Jakub H
On 04/11/2013 02:04 PM, Mathieu Lemoine wrote:
> Hello,
>
> Me again. As promised, here is the link to the blog post:
> http://blog.mlemoine.name/2013/04/11/centralizing-server-access.html
>
> Enjoy! (Feedback is welcome and will be appreciated.)
>
Thank you for the pointer. Several commends
s/SSS
Hello,
Me again. As promised, here is the link to the blog post:
http://blog.mlemoine.name/2013/04/11/centralizing-server-access.html
Enjoy! (Feedback is welcome and will be appreciated.)
Mathieu.
2013/3/25 Dmitri Pal
> On 03/19/2013 01:52 PM, Mathieu Lemoine wrote:
>
> Hello,
>
> I have ss
On 04/11/2013 10:00 AM, Rowland Penny wrote:
> On 08/04/13 11:39, Jakub Hrozek wrote:
>> On Fri, Apr 05, 2013 at 08:15:14PM +0100, Rowland Penny wrote:
>>> On 05/04/13 19:46, Dmitri Pal wrote:
On 04/05/2013 02:40 PM, Rowland Penny wrote:
> On 05/04/13 19:00, Jakub Hrozek wrote:
>> On F
On 04/11/2013 10:45 AM, Jakub Hrozek wrote:
Can you remind me what that problem was? Were you getting some kind of
transaction error?
Can you run the tool with:
sss_useradd --debug-level 10
?
That switch doesn't appear to exist on either of my systems
(--debug-level for sss_useradd); running
On 04/11/2013 10:59 AM, Simo Sorce wrote:
Any reason why you need a local user at all ? (Just curious)
Simo.
This is mostly an artifact of having a different domain username
(suttonh) than my Linux username (sutton). My last name felt a much more
natural account name to use and I did so fro
On Thu, 2013-04-11 at 10:22 -0400, Sutton, Harry (GSSE) wrote:
> On 04/11/2013 09:55 AM, Simo Sorce wrote:
> >
> > Because the PAM stack is completely separate from the NSS stack,
> > although we suggest people to not do this normally you can use an option
> > in nsswitch.conf to avoid falling thro
On Thu, Apr 11, 2013 at 10:22:30AM -0400, Sutton, Harry (GSSE) wrote:
> On 04/11/2013 09:55 AM, Simo Sorce wrote:
> >
> >Because the PAM stack is completely separate from the NSS stack,
> >although we suggest people to not do this normally you can use an option
> >in nsswitch.conf to avoid falling
On 04/11/2013 09:55 AM, Simo Sorce wrote:
Because the PAM stack is completely separate from the NSS stack,
although we suggest people to not do this normally you can use an option
in nsswitch.conf to avoid falling through NSS modules during the
initgroups call to avoid paying the penalty for loc
On 08/04/13 11:39, Jakub Hrozek wrote:
On Fri, Apr 05, 2013 at 08:15:14PM +0100, Rowland Penny wrote:
On 05/04/13 19:46, Dmitri Pal wrote:
On 04/05/2013 02:40 PM, Rowland Penny wrote:
On 05/04/13 19:00, Jakub Hrozek wrote:
On Fri, Apr 05, 2013 at 05:36:32PM +0100, Rowland Penny wrote:
On 05/
On Thu, 2013-04-11 at 09:44 -0400, Sutton, Harry (GSSE) wrote:
> On 04/11/2013 09:10 AM, Stephen Gallagher wrote:
> >
> >
> > Ok, that definitely is showing where the problem lies. This strongly
> > suggests to me that you have a user in your LDAP with the same name as
> > on your local system. Wha
On 04/11/2013 09:10 AM, Stephen Gallagher wrote:
Ok, that definitely is showing where the problem lies. This strongly
suggests to me that you have a user in your LDAP with the same name as
on your local system. What's most likely happening is that the
initgroups() call internally is walking thr
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 04/11/2013 09:03 AM, Sutton, Harry (GSSE) wrote:
> On 04/11/2013 08:44 AM, Stephen Gallagher wrote:
>>
>> Also, try the following experiment:
>>
>> time id -G
>>
>> and show me the output.
>>
>
> On the Fedora laptop:
>
> real0m58.014s us
On 04/11/2013 08:44 AM, Stephen Gallagher wrote:
You shouldn't be seeing any delays at all for the local user during
login, unless the initgroups() call for that user is taking a long
time. The PAM stack should not be getting to pam_sss.so at all if it's
properly configured. What version of SSS
On 04/11/2013 08:40 AM, Stephen Gallagher wrote:
Our default behavior on modern systems is actually to store the
kerberos credential cache in volatile storage (a tmpfs on Fedora).
This is intentional as a security precaution, as it means that on
reboot you need to have human intervention in orde
On 04/11/2013 08:42 AM, Sumit Bose wrote:
I think krb5_store_password_if_offline (see man sssd-krb5) is the option
you are looking for. About the strange date, sssd creates and empty
credential cache with UNIX epoch time to allow other desktop application
which tries to re-new the Kerberos ticket
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Thu 11 Apr 2013 08:22:52 AM EDT, Sutton, Harry (GSSE) wrote:
> Since getting sssd logins to work correctly, I'm noticing that
> logging in with my 'old' local user account takes orders of
> magnitude longer to complete than before. (root logins cont
On Thu, Apr 11, 2013 at 08:15:41AM -0400, Sutton, Harry (GSSE) wrote:
> After getting sssd logins working yesterday (thanks again, Sumit), I
> was pleasantly surprised to find I was able to login this morning
> with my domain credentials from home /before/ I had established my
> VPN connection to t
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 04/11/2013 08:15 AM, Sutton, Harry (GSSE) wrote:
> After getting sssd logins working yesterday (thanks again, Sumit),
> I was pleasantly surprised to find I was able to login this morning
> with my domain credentials from home /before/ I had establi
Since getting sssd logins to work correctly, I'm noticing that logging
in with my 'old' local user account takes orders of magnitude longer to
complete than before. (root logins continue to happen without any
noticeable delay.) Why is that, and is there a configuration parameter I
can change to
After getting sssd logins working yesterday (thanks again, Sumit), I
was pleasantly surprised to find I was able to login this morning
with my domain credentials from home before I had
established my VPN connection to the office. (I know I shouldn't
have necessarily been
29 matches
Mail list logo