[SSSD-users] Re: sssd-ldap using id_provider=files and auth_provider=ldap

he filter to make sure that only the expected type of objects are returned. HTH bye, Sumit > > > 2024/04/29 19:55、Sumit Bose のメール: > > > > Hi, > > > > my first guess would be that the `uid=search_id` object does not have > > the permissions to re

[SSSD-users] Re: sssd-ldap using id_provider=files and auth_provider=ldap

Am Mon, Apr 29, 2024 at 03:25:49PM +0900 schrieb koson...@me.com: > Hi, > I am trying to authenticate a user on a server (Rocky Linux release 8.9) > using the combination of id_provider=files and auth_provider=ldap since our > organization's LDAP server does not have a posixAccount object class.

[SSSD-users] Re: Cannot unlock screen with different smart card

Am Mon, Apr 08, 2024 at 09:45:08PM -0600 schrieb Orion Poplawski: > It seems like one cannot unlock the screen with a different smart card then > the one that was used to log into the session, or at least one with a > different token id, even though they resolve to the same user (of course). > >

[SSSD-users] Re: Undocumented ldap_sasl_authid feature causing sssd to succeed?

; keytab. Requested ewfk, found host/client.samba.test > [sdap_set_sasl_options] (0x0080): Configured SASL realm not found in > keytab. Requested FWEF.ED, found SAMBA.TEST > > Have I stated that all correctly? Hi, yes bye, Sumit > > Spike > > On Wed, Jan 31, 2024 at 8

[SSSD-users] Re: Integrate DMZ clients (sssd) to Active Directory through proxy

Am Sun, Jan 28, 2024 at 08:30:24PM +0100 schrieb Horváth Szabolcs: > Hi, > > I'd like to integrate our servers sitting in DMZ to Active Directory > (domain controllers are located inside), without direct network connection > between the parties. > The security policy says we have to use some kind

[SSSD-users] Re: Undocumented ldap_sasl_authid feature causing sssd to succeed?

Am Mon, Jan 22, 2024 at 03:08:30PM -0600 schrieb Spike White: > All, > > > We’re auditing for successful & healthy AD join of our 32K+ servers. Our > check is basically this: > > > AUTHID=$(grep ldap_sasl_authid /etc/sssd/sssd.conf | awk '{print $3}') > > [[ $AUTHID != host/* ]] &&

[SSSD-users] Re: Preserving kerberos tickets stored in KCM when sudo'ing

Am Wed, Oct 04, 2023 at 10:28:00AM +0200 schrieb Francis Augusto Medeiros-Logeay: > > > > On Oct 4, 2023, at 00:07, Lukas Slebodnik wrote: > > > > On (03/10/23 21:15), Francis Augusto Medeiros-Logeay wrote: > >> Hi, > >> > >> We had a mechanism to allow users to mount their directory by

[SSSD-users] Re: IdM/IPA id: no such user

Am Mon, Sep 18, 2023 at 07:04:16PM - schrieb Jeremy Tourville: > We are running IPA ver. 4.9.11 > > We have noted that several client machines are unable to login. When running > the id command we get "id: 'user_whoever': no such user. > > When testing the id command on our IPA server for

[SSSD-users] Re: sssd-pac.service fails to start after Debian 12 upgrade (fatal error setting up backend connector)

Am Wed, Jun 14, 2023 at 03:45:53PM +0200 schrieb Adam Cecile: > On 6/14/23 15:42, Striker Leggette wrote: > > On 6/14/23 09:35, Adam Cecile wrote: > > > (2023-06-14 15:21:20): [pac] [sbus_dbus_request_name] (0x0020): > > > Unable to > > > request name on the system bus [3] > > This seems to be

[SSSD-users] Re: Frequently disconnected from domain

> admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > default_realm = AD.ADMIN > dns_lookup_realm = false > dns_lookup_kdc = true > ticket_lifetime = 24h > renew_lifetime = 7d > forwardable = true > ``` > > Regards > Sachin Kumar > &

[SSSD-users] Re: Frequently disconnected from domain

Am Wed, May 03, 2023 at 12:17:31PM +0530 schrieb Sac Isilia: > Hi Team, > > We are using sssd in our environment for authentication of AD users. But it > disconnect from domain for unknown reasons. > > Can someone help if there is some best practice or script that > automatically rejoin the

[SSSD-users] Re: SSSD and NSS problem with gid resolution with two domains (freeipa + Active Directory)

Am Tue, May 02, 2023 at 06:47:21AM - schrieb David Serrano Amarelle: > Hi Sumit, > > Thanks a lot for your help. > > About: > > > if I understand it correctly there are groups in AD with GIDs 102242 and > > 100327 and there are objects (users or groups) in IPA with are using the > > same

[SSSD-users] Re: SSSD and NSS problem with gid resolution with two domains (freeipa + Active Directory)

Am Mon, May 01, 2023 at 11:16:00AM - schrieb David Serrano Amarelle: > > First, I would like to appreciate all the help you could provide me. I have > an issue with sssd and nss that I don't still understand quite well... > > The point is that I have configured some servers with 2 active

[SSSD-users] Re: SSSD conf - ldap_default_authtok and ldap_backup_uri

Am Mon, Mar 13, 2023 at 10:34:43AM - schrieb Hristina Marosevic: > Hello, > > Since I can not find relevant information on web about this I would like to > ask you about my current issue. > Im my SSSD configuration I have two LDAP URIs, one defines as value of > ldap_uri and other defined

[SSSD-users] Re: What are adcli testjoin and sssd doing for us? How do we equivalently kinit -k?

Am Thu, Mar 02, 2023 at 01:51:47PM -0600 schrieb Spike White: > All, > > We are surveying our ecosystem of Linux servers, trying to slowly eradicate > the weak rc4 encryption from AD. (Our AD team has done all the legwork; > plus we’ve tested and we’re certain that rc4 is not required for

[SSSD-users] Re: LDAP/Yubikey PIV authentication problems

Am Fri, Jan 13, 2023 at 01:41:28PM - schrieb Bill McGrory: > Hello, > I am looking for clues on how to debug a problem with my configuration for > using LDAP and Yubikey PIV authentication. > I have successfully gotten my sssd config to recognize my ldap server, and > can authenticate and

[SSSD-users] Re: Does sssd support direct integration to AzureAD?

Am Thu, Jan 05, 2023 at 11:03:55AM -0600 schrieb Spike White: > All, > > Our org uses sssd for direct integration to our corp AD forest, which has > the std MS schema extension (RFC 2307bis IIRC). > > Currently, we have some Windows builds running in the Azure cloud, > integrated via AzureAD.

[SSSD-users] Re: Issues using NSS_TACPLUS in Fedora 36's replacement of NSCD with SSSD

Am Tue, Dec 20, 2022 at 07:14:42PM -0600 schrieb Sundar Vadivelu: > Hi all, > I am working on a system which does TACACS+ authentication of users with > pam_tacplus and nss_tacplus libraries > nss_tacplus: https://github.com/benschumacher/nss_tacplus > pam_tacplus:

[SSSD-users] Re: missing secondary groups that have Global scope

Am Tue, Dec 20, 2022 at 06:55:58PM - schrieb Jeffrey Chung: > Hello all. We’re noticing an issue where at times the id command does not > return a complete list of the user’s secondary groups. In our Linux > environment we use both Universal and Global groups and it’s always only the >

[SSSD-users] Re: New sssd-related message this week in /var/log/messages

Am Wed, Dec 14, 2022 at 07:52:38PM + schrieb Christian, Mark: > On Wed, 2022-12-14 at 13:00 -0600, Spike White wrote: > > Sssd experts, > > We have been running sssd to AD integrate to a cross-domain AD forest > > for ~2 years now.  With RHEL 7, 8 and (now) 9 servers.  Has worked > > great. >

[SSSD-users] Re: sssd.conf for single ldap id_provider across 2 or more krb5 auth_providers.

Am Thu, Dec 08, 2022 at 01:15:51AM + schrieb Christian, Mark: > On Thu, 2022-12-08 at 00:32 +, Christian, Mark wrote: > > I have a single ldap instance that provides ID for accounts across > > multiple trusted kerberos realms.  I don't see a way to list multiple > > keberos REALMS under a

[SSSD-users] Re: CentOS 7, SSSD against LDAP: finds user but will not log them in, "Authentication failure" when trying to su

b cb 11 bb 5f-7f 71 ba eb 15 1e 1e 70 .U._.q.p > 00c0 - 36 3e 9d ce 42 2c 60 6d-d0 7f de 60 4a a9 80 da 6>..B,`m...`J... > > Start Time: 1670399902 > Timeout : 7200 (sec) > Verify return code: 0 (ok) > Extended master secret: no > Max

[SSSD-users] Re: CentOS 7, SSSD against LDAP: finds user but will not log them in, "Authentication failure" when trying to su

Am Tue, Dec 06, 2022 at 05:14:34PM -0600 schrieb Jarett DeAngelis: > Hi, > > I am trying to get SSSD to authenticate against an OpenLDAP directory. I have > "debug_level" turned up to 10 but have not been able to figure out what the > problem is based on the log. > > On an Ubuntu 22.04 system

[SSSD-users] Re: AD joined machine with different suffix

Am Thu, Nov 24, 2022 at 09:10:29AM - schrieb Erdem YANIK: > Hello, I've been struggling for 4 days and according to the information I > have stated below, I cannot access the linux operating system joined in AD to > users with different suffixes. > What kind of config should I make, can you

[SSSD-users] Re: Can't authenticate using RHEL 8.7 on AD

Am Wed, Nov 23, 2022 at 03:55:25PM +0100 schrieb Francis Augusto Medeiros-Logeay: ... > >> > >> Here it is: > >> > >> userPrincipalName: francis > > > > Hi, > > > > ok, this explains the failure. It is expected that the attribute value > > is 'n...@domain.name', see e.g. > >

[SSSD-users] Re: Can't authenticate using RHEL 8.7 on AD

Am Wed, Nov 23, 2022 at 11:19:25AM +0100 schrieb Francis Augusto Medeiros-Logeay: > > > > On 23 Nov 2022, at 07:19, Sumit Bose wrote: > > > > Am Tue, Nov 22, 2022 at 08:10:26PM +0100 schrieb Francis Augusto > > Medeiros-Logeay: > >> > >&

[SSSD-users] Re: Can't authenticate using RHEL 8.7 on AD

Am Tue, Nov 22, 2022 at 08:10:26PM +0100 schrieb Francis Augusto Medeiros-Logeay: > > ... > > > > Hi, > > > > would it be possible to send me debug logs with 'debug_level = 9' in the > > [domain/...] and [pac] sections of sssd.conf where neither > > ldap_user_principal nor 'krb5_validate =

[SSSD-users] Re: Can't authenticate using RHEL 8.7 on AD

Am Tue, Nov 22, 2022 at 03:29:18PM +0100 schrieb Francis Augusto Medeiros-Logeay: > > > > On 22 Nov 2022, at 15:22, Sumit Bose wrote: > > > > Am Tue, Nov 22, 2022 at 02:21:13PM +0100 schrieb Francis Augusto > > Medeiros-Logeay: > >> Hi, > >> &

[SSSD-users] Re: Can't authenticate using RHEL 8.7 on AD

Am Tue, Nov 22, 2022 at 02:21:13PM +0100 schrieb Francis Augusto Medeiros-Logeay: > Hi, > > After the latest updates coming from Red Hat on RHEL 8.7, we can't > authenticate on AD. The logs show this: > > Nov 22 14:15:53 ic-rhel8-t001.c.domain.no sshd[6275]: pam_sss(sshd:auth): > received for

[SSSD-users] Microsoft November 2022 updates breaks Active Directory integration]

- Weitergeleitete Nachricht von Rob Crittenden via FreeIPA-users - Date: Mon, 14 Nov 2022 10:19:15 -0500 From: Rob Crittenden via FreeIPA-users To: FreeIPA users list Cc: Rob Crittenden Subject: [Freeipa-users] Microsoft November 2022 updates breaks Active Directory

[SSSD-users] Re: authentication to an intentionally "broken" LDAP server

e way SSSD is written "can't" ignore all these > extraneous things it checks for, do you (or anyone else) know of a way to > auth + create users from SAML logins? Those are easy/free for us to set up. > > Thanks, > J > > > On Aug 22, 2022, at 1:07 AM, Sumit Bose

[SSSD-users] Re: authentication to an intentionally "broken" LDAP server

Am Sun, Aug 21, 2022 at 01:24:29AM - schrieb Jarett DeAngelis: > Hi everyone, > > I am trying to get SSSD to auth against an LDAP service provided by an IAM > SaaS company that goes out of its way to make its LDAP interface as minimal > as possible. All I want SSSD to do is check usernames

[SSSD-users] Re: SSSD-users: querying GPO list

Am Thu, Jun 23, 2022 at 04:49:34PM +0200 schrieb Alexey Tikhonov: > On Thu, Jun 23, 2022 at 3:19 PM Fisher, Philip wrote: > > > Hello SSSD people > > > > Is there a way to run (on RHEL 8 specifically) a command or query > > information so that a logged in (authorised) user can see the GPOs that

[SSSD-users] Re: AD site discovery with IPA provider

Am Thu, Jun 23, 2022 at 10:24:33AM -0600 schrieb Orion Poplawski: > The docs seem a little unclear to me on this. They note what when using the > AD provider sssd will perform site discovery to find the closest AD > controller. But what about when using the IPA provider? It seems to me like >

[SSSD-users] Re: sshkey use allows expired account user to access system

Am Thu, Jun 02, 2022 at 05:17:12PM -0400 schrieb Jim Kinney: > I have set krbPrincipalExpiration but it's not referenced as far as I can > tell. That setting will block use of a password which is why I was thinking a > pam setting change for sshd would pull it in. But password in pam uses the >

[SSSD-users] Re: ldap_access_filter not active

dk,cn=sysdb] > > (Tue May 10 07:43:02 2022) [be[domain.dk]] [sysdb_set_entry_attr] > > (0x0200): Entry [name=b...@domain.dk,cn=users,cn=domain.dk,cn=sysdb] has > > set [cache, ts_cache] attrs. > > (Tue May 10 07:43:02 2022) [be[domain.dk]] [sdap_access_done] (0x0400): > &

[SSSD-users] Re: ldap_access_filter not active

Am Mon, May 09, 2022 at 01:54:00PM +0200 schrieb Bo Riis Toelberg Kristensen: > Hi > > I'm trying to authenticate users based on group membership in our Google > LDAP directory. > I can authenticate just fine without the 'ldap_access_filter' but when I > enable it they still authenticate even

[SSSD-users] Re: Using pam_sss to force the retrieval of a new TGT

Am Thu, Apr 07, 2022 at 08:19:47PM +0200 schrieb Francis Augusto Medeiros-Logeay: > > > -- > Francis Augusto Medeiros-Logeay > Oslo, Norway > > > Hi, > > > > iirc there is a special VMware PAM module which let user pass without > > entering the password if they are already authenticated at

[SSSD-users] Re: Using pam_sss to force the retrieval of a new TGT

Am Thu, Apr 07, 2022 at 01:34:27PM - schrieb Francis Augusto Medeiros-Logeay: > Hi, > > Having some RHEL 8 machines as vdi on a VMware Horizon desktop pool, > we see that when reconnecting to a machine, system-auth and its > pam-stack is executed (at least I think so). > Is there a way to

[SSSD-users] Re: tgt-renewal and AD

Am Mon, Mar 21, 2022 at 12:54:19PM - schrieb Francis Augusto Medeiros-Logeay: > Hi Sumit, > > Thanks for the answer. > I hear what you are saying, but I guess you are not taking into account the > new `tgt_renewal` option that was introduced on sssd 2.5.0, which might be > able to renew

[SSSD-users] Re: tgt-renewal and AD

Am Mon, Mar 21, 2022 at 10:55:00AM - schrieb Francis Augusto Medeiros-Logeay: > Hi, > I currently have some machines that joined a domain on Active > Directory, and we were dealing with the challenges of renewing tickets > beyond the TGT "renew until" limit. I realised that after version >

[SSSD-users] Re: Only IPv4 addresses in /var/lib/sss/pubconf/kdcinfo.DOMAIN

Am Fri, Mar 18, 2022 at 06:00:25PM -0400 schrieb Brian J. Murrell: > On my dual-stack network where some machines actually don't have IPv4 > connectivity I am finding that whatever is writing IP addresses into > /var/lib/sss/pubconf/kdcinfo.DOMAIN is only writing the IPv4 addresses > and not the

[SSSD-users] Re: LDAP servers(not AD) and nested netgroups

Am Fri, Mar 04, 2022 at 10:35:34PM - schrieb Don Drake: > Our implementation of netgroups has objects that identify groups of > servers, the use the nisnetgrouptriple attribute where users are > assigned without domain or server information. i.e. > 'nisnetgrouptriple=(,USERID,)', this is

[SSSD-users] Re: PAM troubleshooting

Am Tue, Jan 25, 2022 at 04:30:10PM - schrieb Rob Crittenden: > > Am Mon, Jan 24, 2022 at 01:36:28PM -0500 schrieb Rob Crittenden: > > > > Hi, > > > > the PAM_PERM_DENIED error is returned from the backend. Please check the > > backend log and krb5_child.log. I agree that it looks a bit like

[SSSD-users] Re: PAM troubleshooting

Am Mon, Jan 24, 2022 at 01:36:28PM -0500 schrieb Rob Crittenden: > I'm trying to get a multi-threaded PAM app working to log in users using > the 'login' service to generate client load: > > https://github.com/freeipa/freeipa-perftest/blob/master/src/pamtest.c > > The load is generated by

[SSSD-users] Re: Trouble resolving a AD group on one machine

Am Sun, Jan 09, 2022 at 04:39:14PM -0700 schrieb Orion Poplawski: > On 1/3/22 08:47, Sumit Bose wrote: > > Am Thu, Dec 30, 2021 at 07:59:22AM -0700 schrieb Orion Poplawski: > > > On 12/29/21 14:00, sssd-users@lists.fedorahosted.org wrote: > > > >

[SSSD-users] Re: Trouble resolving a AD group on one machine

Am Thu, Dec 30, 2021 at 07:59:22AM -0700 schrieb Orion Poplawski: > On 12/29/21 14:00, sssd-users@lists.fedorahosted.org wrote: > > On 12/29/21 13:48, sssd-users@lists.fedorahosted.org wrote: > > > We have a particular machine that is having trouble resolving an AD group > > > - > > > "domain

[SSSD-users] Re: SSSD keeps retrieving LDAP groups while online, degrading performance (no matter what settings I try)

ntication time. So 'account' and 'session' phase will trigger an update of the group memberships as well. But SSSD has a cache (option pam_id_timeout) to avoid that the group memberships are updated at every step. It's a bit tricky to find the right level of technical details. I'm not sure if

[SSSD-users] Re: SSSD keeps retrieving LDAP groups while online, degrading performance (no matter what settings I try)

Am Tue, Nov 30, 2021 at 02:24:34PM - schrieb Robert Wagensveld: > Hi all, > > We've been using SSSD for a while successfully in our Kerberos over > LDAP enterprise environment. However, our SSSD online query time, > especially over VPN, is very poor, usually each login request or sudo >

[SSSD-users] Re: feasible to use sssd in mostly offline mode?

Am Sun, Oct 10, 2021 at 06:25:08PM -0400 schrieb James Ralston: > For our on-site Linux machines, we use the sssd-ad provider to both > map users/groups from Active Directory, and to authenticate users via > Kerberos. It works fantastically well, to the point where we have > absolutely no desire

[SSSD-users] Re: https://bugzilla.redhat.com/show_bug.cgi?id=1984591 not understanding the nature of the sssd bug introduced recently…

> > instructions. Using a RHEL7 test box since it's what a fellow engineer had > > handy. Using the build instructions. > > https://sssd.io/contrib/building-sssd.html > > > > It was an epic fail, even when I installed and enabled the devtoolset-9 > > SCL. I

[SSSD-users] Re: https://bugzilla.redhat.com/show_bug.cgi?id=1984591 not understanding the nature of the sssd bug introduced recently…

per-easy for us to determine.if it's fixed or not. Previously > 'sssctl domain-list' only showed the 5 trusted domains. Now with this new > sssd version (~July), 'sssctl domain-list' shows the expected 5 trusted > domains and the 14 untrusted domains. > > Spike > > On Fri, Oct 8, 2021

[SSSD-users] Re: [SSSD-users]https://bugzilla.redhat.com/show_bug.cgi?id=1984591 not understanding the nature of the sssd bug introduced recently…

d domains. My WIP branch is at https://github.com/sumit-bose/sssd/tree/ad_filter_domains. Can you do a test build of SSSD based on this or shall I try to create a test build for you? For the latter, please tell me for which platform. bye, Sumit > > > There are at least tw

[SSSD-users] Re: Any way to auto create groups while still mapping UIDs to uidNumber?

Am Thu, Sep 30, 2021 at 03:41:12PM - schrieb Kurt Stine: > I was told this would be a better place than github issues. > > We're moving from an ldap environment to an AD environment. This means we > have a large amount of users who are still linked with their original ldap > UIDs.

[SSSD-users] Re: Trouble-shooting sssd’s ‘Automatic Kerberos Host Keytab Renewal’ with AD back-end….

Am Tue, Sep 28, 2021 at 03:18:06PM -0500 schrieb Spike White: > All, > > We took Sumit’s advice and enabled sssd’s debug level 7 on the “domain” > section of sssd.conf. On about 2300 non-prod Linux servers. > > FYI – beware if you do this! We found occurrences where that >

[SSSD-users] Re: auto_private_groups -- How does it work?

Am Thu, Sep 16, 2021 at 12:22:57PM -0500 schrieb Patrick Goetz: > There was a discussion on another list involving how to use sssd for > authentication on an HPC cluster, and the issue of auto_private_groups came > up. > > I realized I have no idea how this works. I know sssd keeps the GID >

[SSSD-users] Re: Trouble-shooting sssd’s ‘Automatic Kerberos Host Keytab Renewal’ with AD back-end….

t; only). Debug level 7 is min level to get verbose output from adcli > update. We know that turning on debug level 9 on all sssd stanzas (nss, > pam, ifp, [domain/xxx]) fills /var/log filesystem to 100% in a few days. > > Spike > > On Tue, Sep 7, 2021 at 9:53 AM Patrick Goet

[SSSD-users] Re: Trouble-shooting sssd’s ‘Automatic Kerberos Host Keytab Renewal’ with AD back-end….

keytab file. > > > This sure seems similar to the Kerberos kpasswd UDP problem. But it's not > -- krb5-libs quit using UDP for kpasswd after RHEL6/OL6. > > > We know how to remediate when we hit such a candidate. adcli update with > the valid user principal and valid log

[SSSD-users] Re: Trouble-shooting sssd’s ‘Automatic Kerberos Host Keytab Renewal’ with AD back-end….

Am Thu, Sep 02, 2021 at 10:02:54AM -0500 schrieb Patrick Goetz: > > On 9/2/21 12:49 AM, Sumit Bose wrote: > > The reason is that 'kinit -k' constructs the principal by calling > > gethostname() or similar, adding the 'host/' prefix and the realm. But > > by default this

[SSSD-users] Re: SOLVED: automounts in non-local AD domain....

Am Sun, Sep 05, 2021 at 12:56:28PM -0500 schrieb Spike White: > SOLVED: find automount maps in non-local AD domain. > > All, > > We solved this a couple of months ago; just took a while to get time to > write it up. We have automounts in our AD domains and autofs finds them. > > By default,

[SSSD-users] Re: Trouble-shooting sssd’s ‘Automatic Kerberos Host Keytab Renewal’ with AD back-end….

bu100.amer.dell@amer.company.com > > > > Valid starting Expires Service principal > > 09/01/2021 11:04:16 09/01/2021 21:04:16 krbtgt/ > > amer.dell@amer.company.com > > renew until 09/08/2021 11:04:16 > > [root

[SSSD-users] Re: Trouble-shooting sssd’s ‘Automatic Kerberos Host Keytab Renewal’ with AD back-end….

Am Tue, Aug 31, 2021 at 09:53:01PM +0200 schrieb Alexey Tikhonov: > On Tue, Aug 31, 2021 at 6:47 PM Spike White wrote: > > > All, > > > > OK we have a query we run in AD for machine account passwords for a > > certain age. In today's run, 31 - 32 days. Then we verify it's pingable. > > > > We

[SSSD-users] Re: [SSSD-users]Trouble-shooting sssd’s ‘Automatic Kerberos Host Keytab Renewal’ with AD back-end….

Am Wed, Aug 25, 2021 at 10:32:58AM -0500 schrieb Spike White: > Sssd experts, > > *Short summary: * How can we troubleshoot sssd’s ‘Automatic Kerberos Host > Keytab Renewal’ process?We have ~0.4% of our Linux servers dropping > off the AD domain monthly. > > *Longer explanation:* > > Over

[SSSD-users] Re: ldap client configuration in sssd.conf to query views

Am Thu, Aug 19, 2021 at 03:20:39PM - schrieb iulian roman: > Hello, > > I try to configure some old sssd clients to connect to IPA server > which does use AD and views. Is there any documentation which points > which ldap_* related variables needs to be configured in sssd,conf in > order to

[SSSD-users] Re: Server not found in Kerberos database

Am Thu, Aug 12, 2021 at 02:55:17PM - schrieb Jovan Quinones-Morales: > Hello! > > I put the pac option in the sssd config which seemed to help in the logs and > in the long run. Although taking a look at the domain logs I have this. The > main issue with "Server not found in kerberos

[SSSD-users] Re: Server not found in Kerberos database

Am Tue, Aug 10, 2021 at 03:49:34PM -0400 schrieb Jovan Quinones-Morales: > Hello! > > I am looking at some errors that I have been seeing in some logs specific > to but not limited to RHEL/CentOS 7.x 8.x and Rocky 8.x (SSSD version > - sssd-2.4.0-9.el8_4.1.x86_64). All systems are attached to a

[SSSD-users] Re: sssd issues with Idm Trust View

Am Tue, Jun 22, 2021 at 03:22:33PM - schrieb iulian roman: > quick update regarding the GID override. If I override the GID (and > the group name does not exist in AD for that GID) , I can make the Hi, yes, it is required that the GID can be resolved to a name, so there either must be a

[SSSD-users] Re: sssd issues with Idm Trust View

Am Fri, Jun 18, 2021 at 07:55:32PM - schrieb iulian roman: > > Am Fri, Jun 18, 2021 at 01:16:30PM - schrieb iulian roman: > > > > Hi, > > > > if you do not want to send them here, feel free to send them to me > > directly. > > > Hi Sumit, > > I have sent the logs to your email. They

[SSSD-users] Re: sssd issues with Idm Trust View

Am Fri, Jun 18, 2021 at 01:16:30PM - schrieb iulian roman: > Where can I upload the logs? Hi, if you do not want to send them here, feel free to send them to me directly. bye, Sumit > ___ > sssd-users mailing list --

[SSSD-users] Re: sssd issues with Idm Trust View

Am Fri, Jun 18, 2021 at 07:56:04AM - schrieb iulian roman: > Hi Sumit, > > Thank you for the answer. The same setup works without issues on all > Ubuntu 18.04 systems with sssd 1.16.1. I overwrite only the UID and > the primary gid is generated automatically by IPA (a long number). > The

[SSSD-users] Re: sssd issues with Idm Trust View

Am Thu, Jun 17, 2021 at 01:59:13PM - schrieb iulian roman: > Hello everybody, > > I have an issue with listing the AD users part of Default Trust View (all > users have the uid overriden ) from an ipa client which is running sssd > 2.2.3. The same setup works properly on Ubuntu systems

[SSSD-users] Re: Hostnames and failed kerberos ticket re-authorization

Am Mon, Jun 14, 2021 at 03:29:17PM -0500 schrieb Patrick Goetz: > Hi - > > We've been setting up Ubuntu 18.04/20.04 systems which use sssd for > authentication as part of a Windows AD domain. > > Because users ssh to these machines I've been assigning them easy to > remember hostnames (e.g.

[SSSD-users] Re: Smartcard active directory authentication in RHEL 8.3 workstation.

Am Mon, May 24, 2021 at 08:51:14AM - schrieb Gary Letth: > Hi Sumit > I followed your instructions to the letter and managed to log on with a smart > card twice. Then on the third attempt it failed. This is what the > krb5_child.log looks like: Hi, the first two requests use the KDC/AD DC

[SSSD-users] Re: Smartcard active directory authentication in RHEL 8.3 workstation.

Am Fri, May 21, 2021 at 11:29:54AM - schrieb Gary Letth: > The SAN in the certificate contains the UPN of the user. What would the > maprule look like then? Hi, please check the entry for subject_principal in man sss-certmap. A typical example for AD would be

[SSSD-users] Re: Smartcard active directory authentication in RHEL 8.3 workstation.

Am Wed, May 12, 2021 at 09:35:29AM - schrieb Gary Letth: > So I installed the krb5-pkinit package and added the following lines to > sssd.conf: > [sssd] > certificate_verification = no_verification > > [domain/x.x.net] > krb5_use_enterprise_principal = true <- Recommendation from

[SSSD-users] Re: Passwd fails in SSSD 2.4.2

required pam_mkhomedir.so > skel=/etc/skel/ umask=0022 > session requiredpam_limits.so > session requiredpam_unix.so > session optionalpam_sss.so > session optionalpam_permit.so > > > - > Pawel > >

[SSSD-users] Re: Passwd fails in SSSD 2.4.2

Am Tue, May 11, 2021 at 02:46:39PM +0200 schrieb Paweł Szafer: > Hi again, > > Last week I had to change my sssd.conf to ldap_sasl_mech=GSSAPI. > SSSD is 2.4.2 on Arch Linux. > Don't know if it is related but now I can't change password with this > machine (last time it was working in February).

[SSSD-users] Re: Smartcard active directory authentication in RHEL 8.3 workstation.

Am Thu, May 06, 2021 at 07:29:06PM - schrieb Gary Letth: > After entering the correct pin for the card, this is an anonymized version of > krb5_child.log: > (2021-05-06 16:27:42): [krb5_child[598307]] [main] (0x0400): krb5_child > started. > (2021-05-06 16:27:42): [krb5_child[598307]]

[SSSD-users] Re: Can't login to AD in SSSD 2.4.2 / Arch Linux

Am Thu, May 06, 2021 at 05:09:47PM +0200 schrieb Paweł Szafer: > Hi, > > I had to add > > ldap_sasl_mech=GSSAPI > > to domain part of my sssd.conf > But honestly I don't understand why SPNEGO is not working, any ideas? Hi, if it was working before it looks like SPNEGO support got lost on your

[SSSD-users] Re: Can't login to AD in SSSD 2.4.2 / Arch Linux

Am Thu, May 06, 2021 at 09:59:45AM +0200 schrieb Paweł Szafer: > Hello, > > Today morning I had a bad surprise. Suddenly I cannot login anymore to my > PC. > My OS is Arch based, with SSSD 2.4.2, updated yesterday (it was working > after update, last login occurred around 7pm 05.05.2021, today

[SSSD-users] Re: Smartcard active directory authentication in RHEL 8.3 workstation.

Am Wed, May 05, 2021 at 09:45:27AM - schrieb Gary Letth: > I'm trying to figure out how to get smartcard-authentication working > in RHEL 8.3 when the computer is joined to an active directory domain. > So far I've managed to configure local authentication using a smart > card by mapping a

[SSSD-users] Re: RHEL 8.3 KDC has no support for encryption type

Am Wed, May 05, 2021 at 07:34:18PM + schrieb Patrick Riehecky: > I believe DES is not even compiled into krb5-utils on 8.3 > > Pat > > On Wed, 2021-05-05 at 21:27 +0200, Jeremy Monnet wrote: > > Hello, > > > > We upgraded today a RHEL 7.9 to RHEL8.3. We encounter now that error > > KDC has

[SSSD-users] Re: How to lower case home dirs in sssd with AD as a backend?

Am Tue, May 04, 2021 at 11:58:56AM -0500 schrieb Spike White: > sssd experts, > > With an AD backend, by default the AD provider sets case_sensitive == > False. This has the desired action of lower-casing user names. (and group > names). But not home directories. > > How can we similarly

[SSSD-users] Re: KRb5KDC Service starts but stops shortly

Am Mon, Apr 26, 2021 at 04:20:57AM - schrieb Ash Ryder: > Hello Guys, > > I am having a bit of trouble keeping the krb5kdc service up for longer than > 10mins. I have just installed Free IPA on our windows domain and can > authenticate when the service is up to the IPA server with my

[SSSD-users] Re: Hii

Am Thu, Apr 15, 2021 at 09:41:41PM +0530 schrieb Jaya Chandra: > I’m receiving System Error (4) in the authentication log > > with kerboes and sssd. > > Can anybody help. Hi, please check https://sssd.io/docs/users/troubleshooting.html about how to enabled debugging on the SSSD side. bye,

[SSSD-users] Re: [resolv_gethostbyname_done] (0x0040): querying hosts database failed [5]: Input/output error

Am Tue, Apr 13, 2021 at 03:27:10PM - schrieb Sylvain CROUET: > Hi, > > I joined a Ubuntu 20.04 server to a Windows domain, but I am stuck with the > following errors in the /var/log/sssd_domain.log file: > (Tue Apr 13 15:07:38 2021) [sssd[be[my_domain]]] [resolv_gethostbyname_done] >

[SSSD-users] Re: Is this still a security problem to be concerned about?

On Sun, Mar 21, 2021 at 08:06:46PM -0400, James Ralston wrote: > On Sun, Mar 21, 2021 at 4:24 PM Spike White wrote: > > > If we limit our KRB5 encryption algorithms to only strong cyphers > > (AES128 and AES256), would that thwart the above SSSD attack? > > No. > > The fundamental issue is

[SSSD-users] Re: Can't login with smartcard

On Mon, Mar 08, 2021 at 07:25:13PM +0200, Rudi Dayan wrote: > Hello, > > > > I am sending you a mail again with more details and all the logs you asked, I > hope now it will be clearer. > > > > I would like to implement smartcard authentication to Microsoft AD with sssd > on > Ubuntu

[SSSD-users] Re: Password expiration in AD with SSSD

: > > > Thanks for the response! > > > > Commenting out "udp_preference_limit" doesn't change anything > > unfortunately... > > I will rebuild sssd from source, so I can get more meaningful logs. > > > > - > > Pawel > > > > >

[SSSD-users] Re: [h...@schlittermann.de: sssd nss: issues with applications not using endpwent()]

On Fri, Feb 26, 2021 at 11:47:34AM +0100, Heiko Schlittermann wrote: > Hi, Hi, please see my reply on sssd-devel. bye, Sumit > > I sent this to sssd-devel already, but probably it was the wrong > channel, so I'm trying it here. > > I'm using Dovecot with its "passwd" userdb, which effectivly

[SSSD-users] Re: session unlock with smartcard stops working when updating shared library

s - one > version contains > > library-version=68.0 > > and the other has > > library-version=6.8 > > > Could that be the problem? > > > //Adam > > > > From: Sumit Bose > Sent: 22 February 2021 14:38 &g

[SSSD-users] Re: session unlock with smartcard stops working when updating shared library

On Mon, Feb 22, 2021 at 07:17:34AM +, Winberg Adam wrote: > We're using a third party shared library for communication with our > smartcards, using RHEL 8.3. SSSD uses p11 to communicate with the cards, this > works fine. > > > But, when I update the third party lib file to a new version,

[SSSD-users] Re: Bug: Trying to get hostent from a name-less server / Server without name and address found in list.

On Tue, Feb 16, 2021 at 10:48:30AM -0600, Anthony Joseph Messina wrote: > After upgrading to sssd-2.4.1-1.fc33.x86_64, I began seeing the following in > my sssd_be log: > > Bug: Trying to get hostent from a name-less server > Server without name and address found in list. Hi, I think this is

[SSSD-users] Re: Password expiration in AD with SSSD

On Tue, Feb 16, 2021 at 03:46:38PM +0100, Paweł Szafer wrote: > Hi again, > I installed Centos 8 to test if warning is working and on Centos it is > working properly. > > In Arch I never get line with check "sss_krb5_expire_callback_func" > > Here are logs and config compared: >

[SSSD-users] Re: sdap_save_user Failed to save user?

On Mon, Feb 15, 2021 at 01:36:09PM +1100, Lachlan Simpson wrote: > Hi, > > I'm having trouble getting results with IPA and SSSD, so I'm starting from > first principles. > > Running on RHEL 8.3, I have an IPA server (idm) and a test client (idm-test), > with one way trusts to the company AD -

[SSSD-users] Re: Password expiration in AD with SSSD

On Thu, Feb 11, 2021 at 06:47:46PM +0100, Paweł Szafer wrote: > Hi, > I want to warn users when password expiration days are less than 14 days. > > I have GPO Default domain policy with this number of days. > I have sssd.conf as: Hi, although you define the password policy in AD with GPOs SSSD

[SSSD-users] Re: [[sssd[krb5_child[75227]]]] [sss_krb5_prompter] (0x0020): Cannot handle password prompts

On Thu, Feb 11, 2021 at 11:56:21AM +0200, Rudi Dayan wrote: > Hello, > > > > I am using the email because it s easier to send attachments here. > > I separated the log to the section before the terminal ask the user password, > and the section after enter the domain password. Hi, can you

[SSSD-users] Re: [[sssd[krb5_child[75227]]]] [sss_krb5_prompter] (0x0020): Cannot handle password prompts

On Tue, Jan 26, 2021 at 11:53:21AM -, Rudi Dayan wrote: > Hi, > > Thank you for your quick response but I'm not pretty sure what do you mean. > Anyway, the log that I attached is from the su command but this case also > happens on the login screen. Hi, would it be possible to send all SSSD

[SSSD-users] Re: [[sssd[krb5_child[75227]]]] [sss_krb5_prompter] (0x0020): Cannot handle password prompts

On Mon, Jan 25, 2021 at 04:25:55PM -, Rudi Dayan wrote: > Hello, > > I would like to implement smartcard authentication to Microsoft AD with sssd > on Ubuntu 20.04 LTS. > I am able to login to AD with a password but when I try to use a smartcard, > after a minute of timeout the password

[SSSD-users] Re: problem obtaining kerberos ticket with sssd

On Fri, Jan 15, 2021 at 01:45:33PM +0100, mbalembo wrote: > Hello, > > > I have trouble obtaining a kerberos ticket when loggin with sssd. > > in /var/log/sssd/krb5_child.log i get the line : > [[sssd[krb5_child[9521 [unpack_buffer] (0x0100): cmd [241] uid [10007] > gid [1] validate

  1   2   3   4   5   6   7   >