, January 9, 2024 1:15 PM
To: End-user discussions about the System Security Services Daemon
Subject: [SSSD-users] Re: sssd losing track of uid after existing kvm
Hi,
On Tue, Jan 9, 2024 at 4:50 PM Charles Hedrick wrote:
>
> We want to use user-mode kvm for students. I've set up a VM. It u
We want to use user-mode kvm for students. I've set up a VM. It uses 9p to
mount the user's home directory. After connecting to the VM with "virsh
console", and then exiting, sssd on the host (not in the VM, in the main host)
loses track of the user's UID. "getent passwd UNAME" works "getent
We just had to restart sssd on a large number of machines because we had a
period of DNS failure. We’re using IPA as the backend. Faiures occurred on
Centos 7 and 8 and Ubuntu 18.
I don’t necessarily expect everything to work when DNS is dead, but I did
expect it t recover.
For the moment
confused? studentdb is an indirect member of lcsrcf.
> On Nov 4, 2019, at 11:24 AM, Charles Hedrick wrote:
>
> the query that generated that was
>
> ./test lcsrcf ilab1.cs.rutgers.edu
>
> We have 242 net groups in a complex multi-level setup. It’s historical, and
> doe
On Nov 4, 2019, at 11:48 AM, Sumit Bose
mailto:sb...@redhat.com>> wrote:
Is my assumption that one should be able to ssh to a server and have that
server refresh tickets (like on a workstation) a valid one? If so, where
should I concentrate my efforts to get this working?
Hi,
please have
well. ilab1.cs.rutgers.edu was one of them. I would have expected it to
return yes, but it returned 0.
If I check the next level down in the hierarchy, I get success.
I’m going to email you the SSSD log file separately, as I’m not sure whether
there’s anteing in it that shouldn’t be public.
&g
I need to support netgroup checks in a service, written in C. I’m asking the
SSSD list because we’re using SSSD, which means that net group operations are
routed to the SSSD provider.
I found that innetgr doesn’t work if there are nested net groups. The man page
doesn’t suggest that this would
Cute. I wondered why the problem didn’t happen on Centos. That explains it, but
wasn’t at all the explanation I was expecting.
On Aug 26, 2019, at 9:41 AM, Jakub Hrozek
mailto:jhro...@redhat.com>> wrote:
Fedora/RHEL includes 'sss' in nsswitch.conf by default precisely for
this reason.
After converting a system to sssd with an IPA backend, we found that cron was
not recognizing our users. It appears (based on using lsof to see what .so
files are open) that cron is reading nsswitch.conf at startup, and doesn’t
notice the change when sssd setup adds sss to the user map in
ain, but we
> now think this might be due to a hostname capitalization problem.
>
> On 8/13/19 11:00 AM, Charles Hedrick wrote:
>> On our Ubuntu 18.04 servers, sssd won’t start. Logging shows that it can’t
>> find any DNS servers. Restarting sssd fixes it.
>>
>&
after the security update, i have a version of systemd
for which there’s no version of libnss-resolve that will install.
> On Aug 13, 2019, at 1:02 PM, Andreas Hasenack wrote:
>
> Hello,
>
> On Tue, Aug 13, 2019 at 1:01 PM Charles Hedrick wrote:
>>
>> On our Ubunt
On our Ubuntu 18.04 servers, sssd won’t start. Logging shows that it can’t find
any DNS servers. Restarting sssd fixes it.
/etc/resolv.conf is a symlink to ../run/systemd/resolve/stub-resolv.conf
If I replace that with a hardcoded resolv.conf with the right name server, sssd
comes up. Network
. For the offline case
you’d want the user’s cache entry to include a bit saying whether 2FA was used.
That way you know whether to look for the delimiter.
> On Mar 18, 2019, at 1:06 PM, Sumit Bose wrote:
>
> On Mon, Mar 18, 2019 at 04:40:48PM +, Charles Hedrick wrote:
>> Sometime ar
Sometime around Centos 7.5, pam auth was changed to skip pam_unix except for
local accounts. The goal was to allow pam_sss to give multiple prompts for
multiple factors.
This is nice in principle, but we’re having to back out. I thought sss
maintainers and other might want to know why.
We use
PAM is just going to mnake the system
> even more brittle.
>
> The proper migration is to remove users from /etc/passwd, and use an ID View
> to
> "correct" any posix data on the target machines, until you can rebuild new
> ones
> with the central names.
>
> Sim
any posix data on the target machines, until you can rebuild new
> ones
> with the central names.
>
> Simo.
>
> On Mon, 2018-04-09 at 16:32 +, Charles Hedrick wrote:
>> I’m trying to support an odd configuration.
>>
>> We have an IPA system, which is
, Apr 09, 2018 at 04:32:00PM +0000, Charles Hedrick wrote:
>> I’m trying to support an odd configuration.
>>
>> We have an IPA system, which is used in the normal way for systems run by
>> staff. But we have hundreds of systems run by faculty and grad students. I’d
>
I’m trying to support an odd configuration.
We have an IPA system, which is used in the normal way for systems run by
staff. But we have hundreds of systems run by faculty and grad students. I’d
like to encourage them to integrate with our system. However their usernames
and UIDs don’t
or pam_mkhomedir. Or if using kerberized NFS, our pam_kmkhomedir.
> On Feb 27, 2018, at 3:40 AM, Alexander Bokovoy via FreeIPA-users
> wrote:
>
> On ti, 27 helmi 2018, TomK via FreeIPA-users wrote:
>> On 2/26/2018 1:27 AM, Alexander Bokovoy via
I noted before that we have a Kerberized mkhomedir. There’s a pam module,
pam_kmkhomedir. It does a kerberized call to a service on the NFS server or
some other system that has the file system mounted in a way that it can create
directories. We did this because we use Kerberized NFS. Root can’t
> On Nov 13, 2017, at 12:51 PM, Alexander Bokovoy wrote:
>
> Not sure why you keep saying that.
Your example showed only one entry. Suppose I want to generate
(host1, user1,)
(host2, user2,)
I can use
ipa netgroup-add-member —hosts=host1 —users=user1
ipa
for just
netgroups. Is that what you’d suggest?
> On Nov 13, 2017, at 12:15 PM, Alexander Bokovoy <aboko...@redhat.com> wrote:
>
> On ma, 13 marras 2017, Charles Hedrick wrote:
>> While we’re on this subject, it would be useful for IPA to support
>> netgroup.byhost.
t.
> On Nov 13, 2017, at 11:44 AM, Alexander Bokovoy <aboko...@redhat.com> wrote:
>
> On ma, 13 marras 2017, Charles Hedrick wrote:
>> Sure. We use netgroups for /etc/exports. The most natural format for triples
>> is
>>
>> (host,,)
>>
>> That’
.
rlogin ignores triples that aren’t in the current NIS domain (or blank,
presumably). sshd ignores the domain component.
> On Nov 13, 2017, at 4:25 AM, Pavel Březina <pbrez...@redhat.com> wrote:
>
> On 11/08/2017 11:47 PM, Charles Hedrick wrote:
>> In my opinion the whole rfc3
is too
inefficient, so they depend upon a cache whose normal TTL is a day.
> On Nov 13, 2017, at 4:25 AM, Pavel Březina <pbrez...@redhat.com> wrote:
>
> On 11/08/2017 11:47 PM, Charles Hedrick wrote:
>> In my opinion the whole rfc3704bis implementation of net groups is won
Sure. We use netgroups for /etc/exports. The most natural format for triples is
(host,,)
That’s the format Netapp documents. By default, ipa netgroup-add-member uses
(host,-,domain)
where domain seems to come from our Kerberos domain. Netapp documentation
requests leaving that field blank,
> On Nov 9, 2017, at 3:43 PM, Lukas Slebodnik <lsleb...@redhat.com> wrote:
>
> On (08/11/17 20:53), Charles Hedrick wrote:
>> We want to move our net groups from NIS to IPA. I’ve loaded the groups.
>> They’re visible on a system that uses nslcd pointed at the IPA
the triples rather than doing a
complex mapping going in and out.
> On Nov 8, 2017, at 5:08 PM, Jakub Hrozek <jhro...@redhat.com> wrote:
>
> Pavel, does this sound like the bug you were looking at wrt sudo lately?
>
> On Wed, Nov 08, 2017 at 09:46:25PM +, Charles Hed
Netapp wants the domain field to be blank. That leaves us a problem that’s hard
to solve.
On Nov 8, 2017, at 4:41 PM, Charles Hedrick
<hedr...@rutgers.edu<mailto:hedr...@rutgers.edu>> wrote:
OK, I see what’s going on, but it looks like a bug.
We mostly use net groups for hosts
;. This also looks like a bug.
On Nov 8, 2017, at 3:53 PM, Charles Hedrick
<hedr...@rutgers.edu<mailto:hedr...@rutgers.edu>> wrote:
We want to move our net groups from NIS to IPA. I’ve loaded the groups. They’re
visible on a system that uses nslcd pointed at the IPA server. But th
We want to move our net groups from NIS to IPA. I’ve loaded the groups. They’re
visible on a system that uses nslcd pointed at the IPA server. But the systems
that use SSSD for authentication don’t show anything. The net groups all show
as undefined.
I’ve turned on debugging and looked at the
31 matches
Mail list logo