_
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_gui
389 port is a lot more efficient as it combines
authentication with setting up a secure channel in a single step.
And it also avoids the complexities of dealing with TLS (distributing
custom root CAs to clients, dealing with certificate
expiration/revocation, etc...
On Wed, 2019-09-25 at 17:29 +0200, Lukas Slebodnik wrote:
> On (25/09/19 09:05), Simo Sorce wrote:
> > On Wed, 2019-09-25 at 11:07 +0200, Lukas Slebodnik wrote:
> > > On (24/09/19 13:46), Simo Sorce wrote:
> > > > On Tue, 2019-09-24 at 17:58 +0200, Lukas Slebodnik wr
On Wed, 2019-09-25 at 09:05 -0400, Simo Sorce wrote:
> On Wed, 2019-09-25 at 11:07 +0200, Lukas Slebodnik wrote:
> >
> > Could you file an upstream issue?
>
> Ok.
https://pagure.io/SSSD/sssd/issue/4087
HTH,
Simo.
--
Simo Sorce
RHEL Cry
On Wed, 2019-09-25 at 11:07 +0200, Lukas Slebodnik wrote:
> On (24/09/19 13:46), Simo Sorce wrote:
> > On Tue, 2019-09-24 at 17:58 +0200, Lukas Slebodnik wrote:
> > > On (24/09/19 09:26), Simo Sorce wrote:
> > > > On Tue, 2019-09-24 at 10:56 +0200, Lukas Slebodnik wr
On Tue, 2019-09-24 at 17:58 +0200, Lukas Slebodnik wrote:
> On (24/09/19 09:26), Simo Sorce wrote:
> > On Tue, 2019-09-24 at 10:56 +0200, Lukas Slebodnik wrote:
> > > On (23/09/19 18:04), Simo Sorce wrote:
> > > > On Mon, 2019-09-23 at 22:53 +0200, Lukas Slebodnik wr
On Tue, 2019-09-24 at 10:56 +0200, Lukas Slebodnik wrote:
> On (23/09/19 18:04), Simo Sorce wrote:
> > On Mon, 2019-09-23 at 22:53 +0200, Lukas Slebodnik wrote:
> > > On (23/09/19 15:55), Simo Sorce wrote:
> > > > On Mon, 2019-09-23 at 14:39 -0500, Sp
caches timed out.
> (We have other AD integration products that have this “offline caching”
> feature that can enabled or disabled.)
SSSD has it too, I guess it is just a matter of tuning and/or "fixing"
the behavior when the daemon is unresponsive.
HTH,
Simo.
--
Simo Sorce
RHEL Cryp
ist/sssd-users@lists.fedorahosted.org
>
> ___
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-condu
On Tue, 2018-09-25 at 08:40 +0200, Jakub Hrozek wrote:
> > On 24 Sep 2018, at 20:25, Simo Sorce wrote:
> >
> > On Mon, 2018-09-24 at 19:59 +0200, Jakub Hrozek wrote:
> > > On Mon, Sep 24, 2018 at 10:22:35AM -0400, Simo Sorce wrote:
> > > > > btw it’s
On Mon, 2018-09-24 at 19:59 +0200, Jakub Hrozek wrote:
> On Mon, Sep 24, 2018 at 10:22:35AM -0400, Simo Sorce wrote:
> > > btw it’s a good question to ask why isn’t the check done on saving
> > > the group. I thought it was and I see code that checks for ID
> > &
On Mon, 2018-09-24 at 16:44 +0200, Michael Ströder wrote:
> On 9/24/18 4:22 PM, Simo Sorce wrote:
> > For groups I would expect us to merge memberships in rfc2307 mode,
>
> If you really want to implement such merging then please disable
> it by default. So that it must be
are quite consistent), so
> it’s even not guaranteed to always receive the same answer for the
> by-GID LDAP search..
>
> btw it’s a good question to ask why isn’t the check done on saving
> the group. I thought it was and I see code that checks for ID
> uniqueness and eve
.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
--
Simo Sorce
S
Hello K.,
SSSD implements 2 different caching options, one to allow offline
logins, and one to allow to grab a kerberos ticket after offline login,
once a KDC is reachable, this second option is krb5 specific.
To allow offline logins, after a successful authentication attempt
against a remote
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
--
Simo Sorce
Sr. Principal Software Engineer
Red Hat, Inc
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
On Thu, 2017-10-19 at 02:59 +0200, Günther J. Niederwimmer wrote:
> Am Mittwoch, 18. Oktober 2017, 14:49:58 CEST schrieb Simo Sorce:
> > On Wed, 2017-10-18 at 14:46 +0200, Günther J. Niederwimmer wrote:
> >
> > > Hello,
> > >
> > > Cent
quot;normal" way.
>
> Thanks for a answer,
What does "Dovecot SASL -> postfix" mean ?
Is dovecot being authenticated by postifx or postifx using dovecot sasl
? or something else ?
What SASL mechanism are you using ?
Is one system sending credentials in
our help
> >
> > The only way I can think of solving this is to configure two
> > [domains]
> > in sssd.conf and using fully qualified names, e.g. user@otpdomain
> > and
> > user@ldapdomain..
> >
>
> I know I can just skip sssd
the snippets are read in order (with order specified as "alphabetic
or something?), then that could be the order.
the problem is that the python configuration API does not preserve
ordering of sections, so if you then use this in the main sssd.conf
where you have multiple sections and you use t
idual home dir is mounted
dynamically, and change autofs to mount a tmpfs instead if the nfs
server is down.
This way you do not change the directory where user files are but just
the mount.
My 2c,
Simo
--
Simo Sorce * Red Hat, Inc * New York
___
ommunication. You do not need to enable TLS as well (and I think SSSD will
> just
> ignore that option in this case).
To add to that, although our libraries will allow it, Windows systems
refuse to do GSSAPI encryption over a TLS channel, so do not try to use
both.
Simo.
--
Simo Sorce * Red Hat
password is prompted for)
>
> password in test file need to be in cleartext.
> But without this option you will be propted in the similar was as with
> changing password with `passwd`
How hard would it be to allow to pass in a pre-hashed password ?
Simo.
--
Simo Sorce * Red Hat, Inc
s://linux.die.net/man/8/sss_seed
> >
> sssd_seed works well with master. @see man 8 sss_seed
>
> But it would not solve the requirement to authenticate only in offline mode.
It would if you remove the password in LDAP and make sure a bind always
fail.
Then it would work only in offli
ring_Services.html)
> seem to differ slightly that what actually gets configured if one uses
> 'authconfig --enablesssd --enablesssdauth --update'.
authconfig usually does the correct thing which may have changed since
the times of Fedora 18.
Simo.
--
Sim
re not there yet:
> > https://fedorahosted.org/sssd/ticket/2078
> > ___
> > sssd-users mailing list
> > sssd-users@lists.fedorahosted.org
> >
> > https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
> >
>
and used in the same session, which is
FILE ccaches only.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
ct any additional queries to: communicati...@s3group.com. Thank You.
> Silicon and Software Systems Limited (S3 Group). Registered in Ireland no.
> 378073. Registered Office: South County Business Park, Leopardstown, Dublin
> 18.
> ___
> sssd-users mailing list
have a disk, and just regen it every time,
putting /var/lib/sss on NFS is just a good way to have (very) bad
performance and various issues with the databases in it.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
sssd-users mailing list
sssd-user
authentication with the same code. In
practice this may not be enforced in some implementations.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd
key auth through a bastion host that
verifies 2FA auth only once.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
.
Please do not use the KEYRING type with Centos/RHEL 6 it wont work the
way you expect.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
when reading the rootDSE. The client has to obey its configuration. Period.
Can you explain what is your worry here ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https
.
--
Simo Sorce * Red Hat, Inc * New York
___
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
memberships that span multiple domains this way ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
but not via ssh,
changing the shell is a binary option.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
directory? Best
regards, Lukas
Our cache, use LDB, based on TDB, which uses fcntl locks for
consistency. Most network file systems do not properly handle locks,
and when they do they are *extremely* slow.
You'd probably end up with an unusable system or a corrupted cache.
Simo.
--
Simo Sorce * Red
/matthughes/05aaeaf276fe5ecafddc
The cache timeout applies to everything except authentication.
You are looking for this ticket to be implemented:
https://fedorahosted.org/sssd/ticket/1807
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
sssd-users
make it impossible to
easily fix as uid=0 is considered an invalid uid throughout all the
caching layer.
Sorry it does not meet your expectations, but this is how it works.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
sssd-users mailing list
sssd
On Fri, 2014-08-29 at 09:00 +0100, John Hodrien wrote:
On Thu, 28 Aug 2014, Simo Sorce wrote:
auth_provider = krb5
chpass_provider = krb5
krb5_realm = IPA.EXAMPLE.TEST
krb5_server = ipa-host.ipa.example.test
Without a keytab validation is not possible, that's not ideal.
Depending
On Fri, 2014-08-29 at 14:54 +0100, John Hodrien wrote:
On Fri, 29 Aug 2014, Simo Sorce wrote:
Although if one of the machines is compromised, now you can fool the
others, still better than no validation at all.
If I give you a null/unused.hostname@DOMAIN credential in a keytab, what can
this advice applies more to yourself :
)
No, I am a practical person and do my research and will not do anything
stupid in production, you might want to, but I cannot advise it.
People please, let's keep a professional tone, name-calling will not be
tolerated.
Simo.
--
Simo Sorce * Red Hat
that sssd is designed to prohibit?
Yes, sssd silos each identity domain completely, the only 'exception' is
local groups but that's almost an accident of how nsswitch worked
historically.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
sssd-users mailing
- gssproxy - KDC
NFS Server
kernel(nfs server) - gssproxy (OR rpc.svcgssd) - keytab
Simo.
--
Simo Sorce * Red Hat, Inc. * New York
___
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
/listinfo/sssd-users
--
Simo Sorce * Red Hat, Inc * New York
___
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Wed, 2014-06-25 at 15:43 +0200, Jakub Hrozek wrote:
On Wed, Jun 25, 2014 at 09:34:25AM -0400, Simo Sorce wrote:
On Wed, 2014-06-25 at 09:30 +, Longina Przybyszewska wrote:
With correct domain ;)...
By default, we contact the server we establish the LDAP connection with.
I’m
On Wed, 2014-06-25 at 16:22 +0200, Jakub Hrozek wrote:
On Wed, Jun 25, 2014 at 04:07:12PM +0200, steve wrote:
On Wed, 2014-06-25 at 15:43 +0200, Jakub Hrozek wrote:
On Wed, Jun 25, 2014 at 09:34:25AM -0400, Simo Sorce wrote:
On Wed, 2014-06-25 at 09:30 +, Longina Przybyszewska wrote
.
--
Simo Sorce * Red Hat, Inc * New York
___
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
for
roaming laptops are still not perfect, but for statically configured
servers I've seen no big issues).
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman
.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
the DNS, though it is nice to know the right
addresses.
We do enable it by default because in some environment DNS-scrubbing is
used, ie if the client doesn't update the DNS for long enough it is
considered old and the whole computer account may be nuked.
HTH,
Simo.
--
Simo Sorce * Red Hat, Inc
addresses in sssd.conf configuration there isn't much you can do, again.
At most you can play with timeouts to reduce the issues.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https
-SERVERS.NET for
server
DNS/a.root-servers@hh3.site that was not found
Failed find a single entry for
This is not going to work.
It seem the DNS server your client is attached to is sending back bogus
NS information ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
On Wed, 2014-05-21 at 12:02 -0400, Simo Sorce wrote:
On Wed, 2014-05-21 at 12:28 +0200, steve wrote:
On 21/05/14 12:18, Simo Sorce wrote:
On Wed, 2014-05-21 at 11:54 +0200, steve wrote:
Kerberos: TGS-REQ LUBUNTU-LAPTOP$@HH3.SITE from
ipv4:192.168.1.22:40241 for DNS/a.root-servers
and can be
removed?
At most we should make it possible to change with an option, but I think
it is totally appropriate.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https
On Tue, 2014-04-29 at 15:56 +0200, Sumit Bose wrote:
On Tue, Apr 29, 2014 at 09:14:07AM -0400, Simo Sorce wrote:
On Tue, 2014-04-29 at 13:48 +0200, Sumit Bose wrote:
First, forward_pass is not needed here, because it will only forward a
password which is requested by pam_sss. In your
that
duplicate/shadows LDAP accounts, and live happily thereafter.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
--
Simo Sorce * Red Hat, Inc * New York
___
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org
are never supposed to wait
more than a handful of seconds, but I am noticing that with latest RHEL6
updates my RHEL desktop also sometimes gets stuck a while on
authentication (VPN).
I have not experienced this in F20 (but my domain controller is local).
Simo.
--
Simo Sorce * Red Hat, Inc * New
:)
instead of turning on enumeration.
If those users are in a specific group it is quite simple:
pull-users.sh:
#!/bin/bash
IFS=,
users=`getent group mycrongroup | cut -d : -f 4`
for u in $users; do getent passwd $u; done
HTH,
Simo.
--
Simo Sorce * Red Hat, Inc * New York
On Fri, 2014-02-21 at 07:42 -0500, Stephen Gallagher wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 02/21/2014 04:46 AM, Sumit Bose wrote:
On Thu, Feb 20, 2014 at 10:22:53PM +0100, Jakub Hrozek wrote:
On Thu, Feb 20, 2014 at 04:13:51PM -0500, Simo Sorce wrote:
On Thu, 2014-02
the hostname along '.'
before appending the $
I will ping Steve Dickson (mainatiner of nfs-utils) shortly about this,
but filing a bug would help anyway.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
sssd-users mailing list
sssd-users
with systemd, but I thought I will give it a try
and ask here before submitting BZ.
I do on my desktop and haven't seen the issue (F-19).
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https
On Thu, 2014-01-09 at 11:59 -0500, Simo Sorce wrote:
On Thu, 2014-01-09 at 16:09 +, Ondrej Valousek wrote:
Hi List,
Is anyone using kerberized nfs with sssd on F-19?
On my box systemd automatically stops nfs-secure service in spite of the
fact it is enabled. I have to re-start
, it does not :-(
No but I explicitly disabled it, I do not use autofs for homes.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
... https://en.wikipedia.org/wiki/.local
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
create directories with
whatever ownership and permissions at boot time.
HTH,
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
'.
This may break some apps that do reverse lookups and use Kerberos.
If you really want to set the name in /etc/hosts you *really* want to
put the FQDN as the first option and the short name second.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
On Thu, 2013-10-10 at 19:38 -0400, Stephen Gallagher wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 10/10/2013 03:47 PM, Dmitri Pal wrote:
On 10/10/2013 02:42 PM, Stephen Gallagher wrote:
On 10/10/2013 02:40 PM, Simo Sorce wrote:
On Thu, 2013-10-10 at 19:56 +0200, Jakub Hrozek
files could be installed via management tools like puppet or
cfengine.
I am personally completely against changing file format (yes this is a
change in file format) incompatibily.
Please use something like a \ char at the end of the line to indicate
continuation on the next line.
Simo.
--
Simo
On Thu, 2013-08-29 at 18:00 +0200, Jakub Hrozek wrote:
On Thu, Aug 29, 2013 at 08:52:26AM -0400, Simo Sorce wrote:
On Thu, 2013-08-29 at 13:30 +0200, Jakub Hrozek wrote:
On Thu, Aug 29, 2013 at 10:13:20AM +, Ondrej Valousek wrote:
Perfect,
And where we can find a mature IPA 3.3
, Jakub Hrozek jhro...@redhat.com
wrote:
On Tue, Jul 30, 2013 at 06:46:22PM -0400, Simo Sorce wrote:
On Tue, 2013-07-30 at 16:42 -0400, Chris Hartman wrote:
On Tue, Jul 30, 2013 at 4:24 PM, Dmitri Pal
d...@redhat.com wrote:
MSFT is just
for many operations so the GSS-Proxy
wouldn't help.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Wed, 2013-05-01 at 16:53 -0400, Simo Sorce wrote:
But whether you can use it or not depends on whether the dhcp server
uses just GSSAPI or still does some native kerberos calls.
If the latter it should be patched first to not use krb calls.
Are you using a script that calls nsupdate
this option, here is a
discussion of the why:
https://bugzilla.redhat.com/show_bug.cgi?id=835612
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd
On Thu, 2013-04-11 at 10:22 -0400, Sutton, Harry (GSSE) wrote:
On 04/11/2013 09:55 AM, Simo Sorce wrote:
Because the PAM stack is completely separate from the NSS stack,
although we suggest people to not do this normally you can use an option
in nsswitch.conf to avoid falling through NSS
On Wed, 2013-03-20 at 10:19 +0100, Pavel Březina wrote:
Hi,
I'm afraid we support ssh keys only with IPA backend at the moment.
Should we open a RFE to make it available with other backends too ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York
to me.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
not :-(. But I will try to replicate the
problem and if I manage, I will send it to you.
Do you have any logs perchance ?
Might be enough to figure out something.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
sssd-users mailing list
sssd-users
.
That is 'the new way' when it comes to Identity Management in
deployments big and small IMHO.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd
80 matches
Mail list logo