he filter to make sure that
only the expected type of objects are returned.
HTH
bye,
Sumit
>
> > 2024/04/29 19:55、Sumit Bose のメール:
> >
> > Hi,
> >
> > my first guess would be that the `uid=search_id` object does not have
> > the permissions to re
Am Mon, Apr 29, 2024 at 03:25:49PM +0900 schrieb koson...@me.com:
> Hi,
> I am trying to authenticate a user on a server (Rocky Linux release 8.9)
> using the combination of id_provider=files and auth_provider=ldap since our
> organization's LDAP server does not have a posixAccount object class.
Am Mon, Apr 08, 2024 at 09:45:08PM -0600 schrieb Orion Poplawski:
> It seems like one cannot unlock the screen with a different smart card then
> the one that was used to log into the session, or at least one with a
> different token id, even though they resolve to the same user (of course).
>
>
; keytab. Requested ewfk, found host/client.samba.test
> [sdap_set_sasl_options] (0x0080): Configured SASL realm not found in
> keytab. Requested FWEF.ED, found SAMBA.TEST
>
> Have I stated that all correctly?
Hi,
yes
bye,
Sumit
>
> Spike
>
> On Wed, Jan 31, 2024 at 8
Am Sun, Jan 28, 2024 at 08:30:24PM +0100 schrieb Horváth Szabolcs:
> Hi,
>
> I'd like to integrate our servers sitting in DMZ to Active Directory
> (domain controllers are located inside), without direct network connection
> between the parties.
> The security policy says we have to use some kind
Am Mon, Jan 22, 2024 at 03:08:30PM -0600 schrieb Spike White:
> All,
>
>
> We’re auditing for successful & healthy AD join of our 32K+ servers. Our
> check is basically this:
>
>
> AUTHID=$(grep ldap_sasl_authid /etc/sssd/sssd.conf | awk '{print $3}')
>
> [[ $AUTHID != host/* ]] &&
Am Wed, Oct 04, 2023 at 10:28:00AM +0200 schrieb Francis Augusto
Medeiros-Logeay:
>
>
> > On Oct 4, 2023, at 00:07, Lukas Slebodnik wrote:
> >
> > On (03/10/23 21:15), Francis Augusto Medeiros-Logeay wrote:
> >> Hi,
> >>
> >> We had a mechanism to allow users to mount their directory by
Am Mon, Sep 18, 2023 at 07:04:16PM - schrieb Jeremy Tourville:
> We are running IPA ver. 4.9.11
>
> We have noted that several client machines are unable to login. When running
> the id command we get "id: 'user_whoever': no such user.
>
> When testing the id command on our IPA server for
Am Wed, Jun 14, 2023 at 03:45:53PM +0200 schrieb Adam Cecile:
> On 6/14/23 15:42, Striker Leggette wrote:
> > On 6/14/23 09:35, Adam Cecile wrote:
> > > (2023-06-14 15:21:20): [pac] [sbus_dbus_request_name] (0x0020):
> > > Unable to
> > > request name on the system bus [3]
> > This seems to be
> admin_server = FILE:/var/log/kadmind.log
>
> [libdefaults]
> default_realm = AD.ADMIN
> dns_lookup_realm = false
> dns_lookup_kdc = true
> ticket_lifetime = 24h
> renew_lifetime = 7d
> forwardable = true
> ```
>
> Regards
> Sachin Kumar
>
&
Am Wed, May 03, 2023 at 12:17:31PM +0530 schrieb Sac Isilia:
> Hi Team,
>
> We are using sssd in our environment for authentication of AD users. But it
> disconnect from domain for unknown reasons.
>
> Can someone help if there is some best practice or script that
> automatically rejoin the
Am Tue, May 02, 2023 at 06:47:21AM - schrieb David Serrano Amarelle:
> Hi Sumit,
>
> Thanks a lot for your help.
>
> About:
>
> > if I understand it correctly there are groups in AD with GIDs 102242 and
> > 100327 and there are objects (users or groups) in IPA with are using the
> > same
Am Mon, May 01, 2023 at 11:16:00AM - schrieb David Serrano Amarelle:
>
> First, I would like to appreciate all the help you could provide me. I have
> an issue with sssd and nss that I don't still understand quite well...
>
> The point is that I have configured some servers with 2 active
Am Mon, Mar 13, 2023 at 10:34:43AM - schrieb Hristina Marosevic:
> Hello,
>
> Since I can not find relevant information on web about this I would like to
> ask you about my current issue.
> Im my SSSD configuration I have two LDAP URIs, one defines as value of
> ldap_uri and other defined
Am Thu, Mar 02, 2023 at 01:51:47PM -0600 schrieb Spike White:
> All,
>
> We are surveying our ecosystem of Linux servers, trying to slowly eradicate
> the weak rc4 encryption from AD. (Our AD team has done all the legwork;
> plus we’ve tested and we’re certain that rc4 is not required for
Am Fri, Jan 13, 2023 at 01:41:28PM - schrieb Bill McGrory:
> Hello,
> I am looking for clues on how to debug a problem with my configuration for
> using LDAP and Yubikey PIV authentication.
> I have successfully gotten my sssd config to recognize my ldap server, and
> can authenticate and
Am Thu, Jan 05, 2023 at 11:03:55AM -0600 schrieb Spike White:
> All,
>
> Our org uses sssd for direct integration to our corp AD forest, which has
> the std MS schema extension (RFC 2307bis IIRC).
>
> Currently, we have some Windows builds running in the Azure cloud,
> integrated via AzureAD.
Am Tue, Dec 20, 2022 at 07:14:42PM -0600 schrieb Sundar Vadivelu:
> Hi all,
> I am working on a system which does TACACS+ authentication of users with
> pam_tacplus and nss_tacplus libraries
> nss_tacplus: https://github.com/benschumacher/nss_tacplus
> pam_tacplus:
Am Tue, Dec 20, 2022 at 06:55:58PM - schrieb Jeffrey Chung:
> Hello all. We’re noticing an issue where at times the id command does not
> return a complete list of the user’s secondary groups. In our Linux
> environment we use both Universal and Global groups and it’s always only the
>
Am Wed, Dec 14, 2022 at 07:52:38PM + schrieb Christian, Mark:
> On Wed, 2022-12-14 at 13:00 -0600, Spike White wrote:
> > Sssd experts,
> > We have been running sssd to AD integrate to a cross-domain AD forest
> > for ~2 years now. With RHEL 7, 8 and (now) 9 servers. Has worked
> > great.
>
Am Thu, Dec 08, 2022 at 01:15:51AM + schrieb Christian, Mark:
> On Thu, 2022-12-08 at 00:32 +, Christian, Mark wrote:
> > I have a single ldap instance that provides ID for accounts across
> > multiple trusted kerberos realms. I don't see a way to list multiple
> > keberos REALMS under a
b cb 11 bb 5f-7f 71 ba eb 15 1e 1e 70 .U._.q.p
> 00c0 - 36 3e 9d ce 42 2c 60 6d-d0 7f de 60 4a a9 80 da 6>..B,`m...`J...
>
> Start Time: 1670399902
> Timeout : 7200 (sec)
> Verify return code: 0 (ok)
> Extended master secret: no
> Max
Am Tue, Dec 06, 2022 at 05:14:34PM -0600 schrieb Jarett DeAngelis:
> Hi,
>
> I am trying to get SSSD to authenticate against an OpenLDAP directory. I have
> "debug_level" turned up to 10 but have not been able to figure out what the
> problem is based on the log.
>
> On an Ubuntu 22.04 system
Am Thu, Nov 24, 2022 at 09:10:29AM - schrieb Erdem YANIK:
> Hello, I've been struggling for 4 days and according to the information I
> have stated below, I cannot access the linux operating system joined in AD to
> users with different suffixes.
> What kind of config should I make, can you
Am Wed, Nov 23, 2022 at 03:55:25PM +0100 schrieb Francis Augusto
Medeiros-Logeay:
...
> >>
> >> Here it is:
> >>
> >> userPrincipalName: francis
> >
> > Hi,
> >
> > ok, this explains the failure. It is expected that the attribute value
> > is 'n...@domain.name', see e.g.
> >
Am Wed, Nov 23, 2022 at 11:19:25AM +0100 schrieb Francis Augusto
Medeiros-Logeay:
>
>
> > On 23 Nov 2022, at 07:19, Sumit Bose wrote:
> >
> > Am Tue, Nov 22, 2022 at 08:10:26PM +0100 schrieb Francis Augusto
> > Medeiros-Logeay:
> >>
> >&
Am Tue, Nov 22, 2022 at 08:10:26PM +0100 schrieb Francis Augusto
Medeiros-Logeay:
>
>
...
> >
> > Hi,
> >
> > would it be possible to send me debug logs with 'debug_level = 9' in the
> > [domain/...] and [pac] sections of sssd.conf where neither
> > ldap_user_principal nor 'krb5_validate =
Am Tue, Nov 22, 2022 at 03:29:18PM +0100 schrieb Francis Augusto
Medeiros-Logeay:
>
>
> > On 22 Nov 2022, at 15:22, Sumit Bose wrote:
> >
> > Am Tue, Nov 22, 2022 at 02:21:13PM +0100 schrieb Francis Augusto
> > Medeiros-Logeay:
> >> Hi,
> >>
&
Am Tue, Nov 22, 2022 at 02:21:13PM +0100 schrieb Francis Augusto
Medeiros-Logeay:
> Hi,
>
> After the latest updates coming from Red Hat on RHEL 8.7, we can't
> authenticate on AD. The logs show this:
>
> Nov 22 14:15:53 ic-rhel8-t001.c.domain.no sshd[6275]: pam_sss(sshd:auth):
> received for
- Weitergeleitete Nachricht von Rob Crittenden via FreeIPA-users
-
Date: Mon, 14 Nov 2022 10:19:15 -0500
From: Rob Crittenden via FreeIPA-users
To: FreeIPA users list
Cc: Rob Crittenden
Subject: [Freeipa-users] Microsoft November 2022 updates breaks Active
Directory
e way SSSD is written "can't" ignore all these
> extraneous things it checks for, do you (or anyone else) know of a way to
> auth + create users from SAML logins? Those are easy/free for us to set up.
>
> Thanks,
> J
>
> > On Aug 22, 2022, at 1:07 AM, Sumit Bose
Am Sun, Aug 21, 2022 at 01:24:29AM - schrieb Jarett DeAngelis:
> Hi everyone,
>
> I am trying to get SSSD to auth against an LDAP service provided by an IAM
> SaaS company that goes out of its way to make its LDAP interface as minimal
> as possible. All I want SSSD to do is check usernames
Am Thu, Jun 23, 2022 at 04:49:34PM +0200 schrieb Alexey Tikhonov:
> On Thu, Jun 23, 2022 at 3:19 PM Fisher, Philip wrote:
>
> > Hello SSSD people
> >
> > Is there a way to run (on RHEL 8 specifically) a command or query
> > information so that a logged in (authorised) user can see the GPOs that
Am Thu, Jun 23, 2022 at 10:24:33AM -0600 schrieb Orion Poplawski:
> The docs seem a little unclear to me on this. They note what when using the
> AD provider sssd will perform site discovery to find the closest AD
> controller. But what about when using the IPA provider? It seems to me like
>
Am Thu, Jun 02, 2022 at 05:17:12PM -0400 schrieb Jim Kinney:
> I have set krbPrincipalExpiration but it's not referenced as far as I can
> tell. That setting will block use of a password which is why I was thinking a
> pam setting change for sshd would pull it in. But password in pam uses the
>
dk,cn=sysdb]
> > (Tue May 10 07:43:02 2022) [be[domain.dk]] [sysdb_set_entry_attr]
> > (0x0200): Entry [name=b...@domain.dk,cn=users,cn=domain.dk,cn=sysdb] has
> > set [cache, ts_cache] attrs.
> > (Tue May 10 07:43:02 2022) [be[domain.dk]] [sdap_access_done] (0x0400):
> &
Am Mon, May 09, 2022 at 01:54:00PM +0200 schrieb Bo Riis Toelberg Kristensen:
> Hi
>
> I'm trying to authenticate users based on group membership in our Google
> LDAP directory.
> I can authenticate just fine without the 'ldap_access_filter' but when I
> enable it they still authenticate even
Am Thu, Apr 07, 2022 at 08:19:47PM +0200 schrieb Francis Augusto
Medeiros-Logeay:
>
>
> --
> Francis Augusto Medeiros-Logeay
> Oslo, Norway
>
> > Hi,
> >
> > iirc there is a special VMware PAM module which let user pass without
> > entering the password if they are already authenticated at
Am Thu, Apr 07, 2022 at 01:34:27PM - schrieb Francis Augusto
Medeiros-Logeay:
> Hi,
>
> Having some RHEL 8 machines as vdi on a VMware Horizon desktop pool,
> we see that when reconnecting to a machine, system-auth and its
> pam-stack is executed (at least I think so).
> Is there a way to
Am Mon, Mar 21, 2022 at 12:54:19PM - schrieb Francis Augusto
Medeiros-Logeay:
> Hi Sumit,
>
> Thanks for the answer.
> I hear what you are saying, but I guess you are not taking into account the
> new `tgt_renewal` option that was introduced on sssd 2.5.0, which might be
> able to renew
Am Mon, Mar 21, 2022 at 10:55:00AM - schrieb Francis Augusto
Medeiros-Logeay:
> Hi,
> I currently have some machines that joined a domain on Active
> Directory, and we were dealing with the challenges of renewing tickets
> beyond the TGT "renew until" limit. I realised that after version
>
Am Fri, Mar 18, 2022 at 06:00:25PM -0400 schrieb Brian J. Murrell:
> On my dual-stack network where some machines actually don't have IPv4
> connectivity I am finding that whatever is writing IP addresses into
> /var/lib/sss/pubconf/kdcinfo.DOMAIN is only writing the IPv4 addresses
> and not the
Am Fri, Mar 04, 2022 at 10:35:34PM - schrieb Don Drake:
> Our implementation of netgroups has objects that identify groups of
> servers, the use the nisnetgrouptriple attribute where users are
> assigned without domain or server information. i.e.
> 'nisnetgrouptriple=(,USERID,)', this is
Am Tue, Jan 25, 2022 at 04:30:10PM - schrieb Rob Crittenden:
> > Am Mon, Jan 24, 2022 at 01:36:28PM -0500 schrieb Rob Crittenden:
> >
> > Hi,
> >
> > the PAM_PERM_DENIED error is returned from the backend. Please check the
> > backend log and krb5_child.log. I agree that it looks a bit like
Am Mon, Jan 24, 2022 at 01:36:28PM -0500 schrieb Rob Crittenden:
> I'm trying to get a multi-threaded PAM app working to log in users using
> the 'login' service to generate client load:
>
> https://github.com/freeipa/freeipa-perftest/blob/master/src/pamtest.c
>
> The load is generated by
Am Sun, Jan 09, 2022 at 04:39:14PM -0700 schrieb Orion Poplawski:
> On 1/3/22 08:47, Sumit Bose wrote:
> > Am Thu, Dec 30, 2021 at 07:59:22AM -0700 schrieb Orion Poplawski:
> > > On 12/29/21 14:00, sssd-users@lists.fedorahosted.org wrote:
> > > >
Am Thu, Dec 30, 2021 at 07:59:22AM -0700 schrieb Orion Poplawski:
> On 12/29/21 14:00, sssd-users@lists.fedorahosted.org wrote:
> > On 12/29/21 13:48, sssd-users@lists.fedorahosted.org wrote:
> > > We have a particular machine that is having trouble resolving an AD group
> > > -
> > > "domain
ntication time. So
'account' and 'session' phase will trigger an update of the group
memberships as well. But SSSD has a cache (option pam_id_timeout) to
avoid that the group memberships are updated at every step.
It's a bit tricky to find the right level of technical details. I'm not
sure if
Am Tue, Nov 30, 2021 at 02:24:34PM - schrieb Robert Wagensveld:
> Hi all,
>
> We've been using SSSD for a while successfully in our Kerberos over
> LDAP enterprise environment. However, our SSSD online query time,
> especially over VPN, is very poor, usually each login request or sudo
>
Am Sun, Oct 10, 2021 at 06:25:08PM -0400 schrieb James Ralston:
> For our on-site Linux machines, we use the sssd-ad provider to both
> map users/groups from Active Directory, and to authenticate users via
> Kerberos. It works fantastically well, to the point where we have
> absolutely no desire
> > instructions. Using a RHEL7 test box since it's what a fellow engineer had
> > handy. Using the build instructions.
> > https://sssd.io/contrib/building-sssd.html
> >
> > It was an epic fail, even when I installed and enabled the devtoolset-9
> > SCL. I
per-easy for us to determine.if it's fixed or not. Previously
> 'sssctl domain-list' only showed the 5 trusted domains. Now with this new
> sssd version (~July), 'sssctl domain-list' shows the expected 5 trusted
> domains and the 14 untrusted domains.
>
> Spike
>
> On Fri, Oct 8, 2021
d domains. My WIP branch is at
https://github.com/sumit-bose/sssd/tree/ad_filter_domains. Can you do a
test build of SSSD based on this or shall I try to create a test build
for you? For the latter, please tell me for which platform.
bye,
Sumit
>
>
> There are at least tw
Am Thu, Sep 30, 2021 at 03:41:12PM - schrieb Kurt Stine:
> I was told this would be a better place than github issues.
>
> We're moving from an ldap environment to an AD environment. This means we
> have a large amount of users who are still linked with their original ldap
> UIDs.
Am Tue, Sep 28, 2021 at 03:18:06PM -0500 schrieb Spike White:
> All,
>
> We took Sumit’s advice and enabled sssd’s debug level 7 on the “domain”
> section of sssd.conf. On about 2300 non-prod Linux servers.
>
> FYI – beware if you do this! We found occurrences where that
>
Am Thu, Sep 16, 2021 at 12:22:57PM -0500 schrieb Patrick Goetz:
> There was a discussion on another list involving how to use sssd for
> authentication on an HPC cluster, and the issue of auto_private_groups came
> up.
>
> I realized I have no idea how this works. I know sssd keeps the GID
>
t; only). Debug level 7 is min level to get verbose output from adcli
> update. We know that turning on debug level 9 on all sssd stanzas (nss,
> pam, ifp, [domain/xxx]) fills /var/log filesystem to 100% in a few days.
>
> Spike
>
> On Tue, Sep 7, 2021 at 9:53 AM Patrick Goet
keytab file.
>
>
> This sure seems similar to the Kerberos kpasswd UDP problem. But it's not
> -- krb5-libs quit using UDP for kpasswd after RHEL6/OL6.
>
>
> We know how to remediate when we hit such a candidate. adcli update with
> the valid user principal and valid log
Am Thu, Sep 02, 2021 at 10:02:54AM -0500 schrieb Patrick Goetz:
>
> On 9/2/21 12:49 AM, Sumit Bose wrote:
> > The reason is that 'kinit -k' constructs the principal by calling
> > gethostname() or similar, adding the 'host/' prefix and the realm. But
> > by default this
Am Sun, Sep 05, 2021 at 12:56:28PM -0500 schrieb Spike White:
> SOLVED: find automount maps in non-local AD domain.
>
> All,
>
> We solved this a couple of months ago; just took a while to get time to
> write it up. We have automounts in our AD domains and autofs finds them.
>
> By default,
bu100.amer.dell@amer.company.com
> >
> > Valid starting Expires Service principal
> > 09/01/2021 11:04:16 09/01/2021 21:04:16 krbtgt/
> > amer.dell@amer.company.com
> > renew until 09/08/2021 11:04:16
> > [root
Am Tue, Aug 31, 2021 at 09:53:01PM +0200 schrieb Alexey Tikhonov:
> On Tue, Aug 31, 2021 at 6:47 PM Spike White wrote:
>
> > All,
> >
> > OK we have a query we run in AD for machine account passwords for a
> > certain age. In today's run, 31 - 32 days. Then we verify it's pingable.
> >
> > We
Am Wed, Aug 25, 2021 at 10:32:58AM -0500 schrieb Spike White:
> Sssd experts,
>
> *Short summary: * How can we troubleshoot sssd’s ‘Automatic Kerberos Host
> Keytab Renewal’ process?We have ~0.4% of our Linux servers dropping
> off the AD domain monthly.
>
> *Longer explanation:*
>
> Over
Am Thu, Aug 19, 2021 at 03:20:39PM - schrieb iulian roman:
> Hello,
>
> I try to configure some old sssd clients to connect to IPA server
> which does use AD and views. Is there any documentation which points
> which ldap_* related variables needs to be configured in sssd,conf in
> order to
Am Thu, Aug 12, 2021 at 02:55:17PM - schrieb Jovan Quinones-Morales:
> Hello!
>
> I put the pac option in the sssd config which seemed to help in the logs and
> in the long run. Although taking a look at the domain logs I have this. The
> main issue with "Server not found in kerberos
Am Tue, Aug 10, 2021 at 03:49:34PM -0400 schrieb Jovan Quinones-Morales:
> Hello!
>
> I am looking at some errors that I have been seeing in some logs specific
> to but not limited to RHEL/CentOS 7.x 8.x and Rocky 8.x (SSSD version
> - sssd-2.4.0-9.el8_4.1.x86_64). All systems are attached to a
Am Tue, Jun 22, 2021 at 03:22:33PM - schrieb iulian roman:
> quick update regarding the GID override. If I override the GID (and
> the group name does not exist in AD for that GID) , I can make the
Hi,
yes, it is required that the GID can be resolved to a name, so there
either must be a
Am Fri, Jun 18, 2021 at 07:55:32PM - schrieb iulian roman:
> > Am Fri, Jun 18, 2021 at 01:16:30PM - schrieb iulian roman:
> >
> > Hi,
> >
> > if you do not want to send them here, feel free to send them to me
> > directly.
> >
> Hi Sumit,
>
> I have sent the logs to your email. They
Am Fri, Jun 18, 2021 at 01:16:30PM - schrieb iulian roman:
> Where can I upload the logs?
Hi,
if you do not want to send them here, feel free to send them to me
directly.
bye,
Sumit
> ___
> sssd-users mailing list --
Am Fri, Jun 18, 2021 at 07:56:04AM - schrieb iulian roman:
> Hi Sumit,
>
> Thank you for the answer. The same setup works without issues on all
> Ubuntu 18.04 systems with sssd 1.16.1. I overwrite only the UID and
> the primary gid is generated automatically by IPA (a long number).
> The
Am Thu, Jun 17, 2021 at 01:59:13PM - schrieb iulian roman:
> Hello everybody,
>
> I have an issue with listing the AD users part of Default Trust View (all
> users have the uid overriden ) from an ipa client which is running sssd
> 2.2.3. The same setup works properly on Ubuntu systems
Am Mon, Jun 14, 2021 at 03:29:17PM -0500 schrieb Patrick Goetz:
> Hi -
>
> We've been setting up Ubuntu 18.04/20.04 systems which use sssd for
> authentication as part of a Windows AD domain.
>
> Because users ssh to these machines I've been assigning them easy to
> remember hostnames (e.g.
Am Mon, May 24, 2021 at 08:51:14AM - schrieb Gary Letth:
> Hi Sumit
> I followed your instructions to the letter and managed to log on with a smart
> card twice. Then on the third attempt it failed. This is what the
> krb5_child.log looks like:
Hi,
the first two requests use the KDC/AD DC
Am Fri, May 21, 2021 at 11:29:54AM - schrieb Gary Letth:
> The SAN in the certificate contains the UPN of the user. What would the
> maprule look like then?
Hi,
please check the entry for subject_principal in man sss-certmap. A
typical example for AD would be
Am Wed, May 12, 2021 at 09:35:29AM - schrieb Gary Letth:
> So I installed the krb5-pkinit package and added the following lines to
> sssd.conf:
> [sssd]
> certificate_verification = no_verification
>
> [domain/x.x.net]
> krb5_use_enterprise_principal = true <- Recommendation from
required pam_mkhomedir.so
> skel=/etc/skel/ umask=0022
> session requiredpam_limits.so
> session requiredpam_unix.so
> session optionalpam_sss.so
> session optionalpam_permit.so
>
>
> -
> Pawel
>
>
Am Tue, May 11, 2021 at 02:46:39PM +0200 schrieb Paweł Szafer:
> Hi again,
>
> Last week I had to change my sssd.conf to ldap_sasl_mech=GSSAPI.
> SSSD is 2.4.2 on Arch Linux.
> Don't know if it is related but now I can't change password with this
> machine (last time it was working in February).
Am Thu, May 06, 2021 at 07:29:06PM - schrieb Gary Letth:
> After entering the correct pin for the card, this is an anonymized version of
> krb5_child.log:
> (2021-05-06 16:27:42): [krb5_child[598307]] [main] (0x0400): krb5_child
> started.
> (2021-05-06 16:27:42): [krb5_child[598307]]
Am Thu, May 06, 2021 at 05:09:47PM +0200 schrieb Paweł Szafer:
> Hi,
>
> I had to add
>
> ldap_sasl_mech=GSSAPI
>
> to domain part of my sssd.conf
> But honestly I don't understand why SPNEGO is not working, any ideas?
Hi,
if it was working before it looks like SPNEGO support got lost on your
Am Thu, May 06, 2021 at 09:59:45AM +0200 schrieb Paweł Szafer:
> Hello,
>
> Today morning I had a bad surprise. Suddenly I cannot login anymore to my
> PC.
> My OS is Arch based, with SSSD 2.4.2, updated yesterday (it was working
> after update, last login occurred around 7pm 05.05.2021, today
Am Wed, May 05, 2021 at 09:45:27AM - schrieb Gary Letth:
> I'm trying to figure out how to get smartcard-authentication working
> in RHEL 8.3 when the computer is joined to an active directory domain.
> So far I've managed to configure local authentication using a smart
> card by mapping a
Am Wed, May 05, 2021 at 07:34:18PM + schrieb Patrick Riehecky:
> I believe DES is not even compiled into krb5-utils on 8.3
>
> Pat
>
> On Wed, 2021-05-05 at 21:27 +0200, Jeremy Monnet wrote:
> > Hello,
> >
> > We upgraded today a RHEL 7.9 to RHEL8.3. We encounter now that error
> > KDC has
Am Tue, May 04, 2021 at 11:58:56AM -0500 schrieb Spike White:
> sssd experts,
>
> With an AD backend, by default the AD provider sets case_sensitive ==
> False. This has the desired action of lower-casing user names. (and group
> names). But not home directories.
>
> How can we similarly
Am Mon, Apr 26, 2021 at 04:20:57AM - schrieb Ash Ryder:
> Hello Guys,
>
> I am having a bit of trouble keeping the krb5kdc service up for longer than
> 10mins. I have just installed Free IPA on our windows domain and can
> authenticate when the service is up to the IPA server with my
Am Thu, Apr 15, 2021 at 09:41:41PM +0530 schrieb Jaya Chandra:
> I’m receiving System Error (4) in the authentication log
>
> with kerboes and sssd.
>
> Can anybody help.
Hi,
please check https://sssd.io/docs/users/troubleshooting.html about how
to enabled debugging on the SSSD side.
bye,
Am Tue, Apr 13, 2021 at 03:27:10PM - schrieb Sylvain CROUET:
> Hi,
>
> I joined a Ubuntu 20.04 server to a Windows domain, but I am stuck with the
> following errors in the /var/log/sssd_domain.log file:
> (Tue Apr 13 15:07:38 2021) [sssd[be[my_domain]]] [resolv_gethostbyname_done]
>
On Sun, Mar 21, 2021 at 08:06:46PM -0400, James Ralston wrote:
> On Sun, Mar 21, 2021 at 4:24 PM Spike White wrote:
>
> > If we limit our KRB5 encryption algorithms to only strong cyphers
> > (AES128 and AES256), would that thwart the above SSSD attack?
>
> No.
>
> The fundamental issue is
On Mon, Mar 08, 2021 at 07:25:13PM +0200, Rudi Dayan wrote:
> Hello,
>
>
>
> I am sending you a mail again with more details and all the logs you asked, I
> hope now it will be clearer.
>
>
>
> I would like to implement smartcard authentication to Microsoft AD with sssd
> on
> Ubuntu
:
>
> > Thanks for the response!
> >
> > Commenting out "udp_preference_limit" doesn't change anything
> > unfortunately...
> > I will rebuild sssd from source, so I can get more meaningful logs.
> >
> > -
> > Pawel
> >
> >
>
On Fri, Feb 26, 2021 at 11:47:34AM +0100, Heiko Schlittermann wrote:
> Hi,
Hi,
please see my reply on sssd-devel.
bye,
Sumit
>
> I sent this to sssd-devel already, but probably it was the wrong
> channel, so I'm trying it here.
>
> I'm using Dovecot with its "passwd" userdb, which effectivly
s - one
> version contains
>
> library-version=68.0
>
> and the other has
>
> library-version=6.8
>
>
> Could that be the problem?
>
>
> //Adam
>
>
>
> From: Sumit Bose
> Sent: 22 February 2021 14:38
&g
On Mon, Feb 22, 2021 at 07:17:34AM +, Winberg Adam wrote:
> We're using a third party shared library for communication with our
> smartcards, using RHEL 8.3. SSSD uses p11 to communicate with the cards, this
> works fine.
>
>
> But, when I update the third party lib file to a new version,
On Tue, Feb 16, 2021 at 10:48:30AM -0600, Anthony Joseph Messina wrote:
> After upgrading to sssd-2.4.1-1.fc33.x86_64, I began seeing the following in
> my sssd_be log:
>
> Bug: Trying to get hostent from a name-less server
> Server without name and address found in list.
Hi,
I think this is
On Tue, Feb 16, 2021 at 03:46:38PM +0100, Paweł Szafer wrote:
> Hi again,
> I installed Centos 8 to test if warning is working and on Centos it is
> working properly.
>
> In Arch I never get line with check "sss_krb5_expire_callback_func"
>
> Here are logs and config compared:
>
On Mon, Feb 15, 2021 at 01:36:09PM +1100, Lachlan Simpson wrote:
> Hi,
>
> I'm having trouble getting results with IPA and SSSD, so I'm starting from
> first principles.
>
> Running on RHEL 8.3, I have an IPA server (idm) and a test client (idm-test),
> with one way trusts to the company AD -
On Thu, Feb 11, 2021 at 06:47:46PM +0100, Paweł Szafer wrote:
> Hi,
> I want to warn users when password expiration days are less than 14 days.
>
> I have GPO Default domain policy with this number of days.
> I have sssd.conf as:
Hi,
although you define the password policy in AD with GPOs SSSD
On Thu, Feb 11, 2021 at 11:56:21AM +0200, Rudi Dayan wrote:
> Hello,
>
>
>
> I am using the email because it s easier to send attachments here.
>
> I separated the log to the section before the terminal ask the user password,
> and the section after enter the domain password.
Hi,
can you
On Tue, Jan 26, 2021 at 11:53:21AM -, Rudi Dayan wrote:
> Hi,
>
> Thank you for your quick response but I'm not pretty sure what do you mean.
> Anyway, the log that I attached is from the su command but this case also
> happens on the login screen.
Hi,
would it be possible to send all SSSD
On Mon, Jan 25, 2021 at 04:25:55PM -, Rudi Dayan wrote:
> Hello,
>
> I would like to implement smartcard authentication to Microsoft AD with sssd
> on Ubuntu 20.04 LTS.
> I am able to login to AD with a password but when I try to use a smartcard,
> after a minute of timeout the password
On Fri, Jan 15, 2021 at 01:45:33PM +0100, mbalembo wrote:
> Hello,
>
>
> I have trouble obtaining a kerberos ticket when loggin with sssd.
>
> in /var/log/sssd/krb5_child.log i get the line :
> [[sssd[krb5_child[9521 [unpack_buffer] (0x0100): cmd [241] uid [10007]
> gid [1] validate
1 - 100 of 656 matches
Mail list logo