Re: [SSSD-users] Kerberos DNS SRV records preference

On Fri, Sep 06, 2013 at 01:40:50PM -0600, Erinn Looney-Triggs wrote: > On 09/06/2013 07:10 AM, Jakub Hrozek wrote: > > On Fri, Sep 06, 2013 at 02:55:48PM +0200, Bolesław Tokarski wrote: > >> Hello, > >> > >> Can somebody confirm me the behaviour of SSSD (we

Re: [SSSD-users] how do I restrict access when access_provider = ad ?

On Sat, Sep 07, 2013 at 07:16:09PM -0400, Dmitri Pal wrote: > On 09/07/2013 02:23 PM, Doug Clow wrote: > > Hello, > > > > I recently switched my sssd to 1.9 so I can try the native Active > > Directory support. Previously I was using: > > > > id_provider = ldap > > auth_provider = krb5 > > chpass_

Re: [SSSD-users] Ubuntu Saucy sssd-1.11.0 not starting

On Tue, Sep 10, 2013 at 01:29:54PM +, Longina Przybyszewska wrote: > Hi, > I would test the new features (autofs !!!) in sssd-1.11.0 version in Ubuntu > Saucy, and I am using native sssd package. > I use working config file from sssd-1.9.4 > Daemon doesn't start: > > root@saucy:/var/lib/sss#

Re: [SSSD-users] Ubuntu Saucy sssd-1.11.0 not starting

On Tue, Sep 10, 2013 at 02:16:30PM +, Longina Przybyszewska wrote: > This is VM machine and does not have DNS entry. > Could it be the reason? > > Longina No, most probably this is an issue with how we load the configuration.. ___ sssd-users mailin

Re: [SSSD-users] Ubuntu Saucy sssd-1.11.0 not starting

On Tue, Sep 10, 2013 at 02:04:02PM +, Longina Przybyszewska wrote: > It should be ok: > [sssd] > config_file_version = 2 > debug_level = 9 > reconnection_retries = 3 > sbus_timeout = 30 > services = nss, pam > domains = xxx.sdu.dk, zzz.sdu.dk > ... > > Longina I see..can you check what

Re: [SSSD-users] bad basedn with autofs in sssd

On Wed, Sep 11, 2013 at 10:47:35AM +0200, Ondrej Kos wrote: > On 09/11/2013 07:04 AM, Dale Harris wrote: > >Hi folks, > > > >Trying to set up autofs in sssd. It doesn't appear that sssd likes my > >basedn, one that I use on Solaris just fine. In my sssd_default.log I > >see: > > > >sssd_default.l

Re: [SSSD-users] bad basedn with autofs in sssd

On Wed, Sep 11, 2013 at 09:24:08AM -0400, Dale Harris wrote: > On Wed, Sep 11, 2013 at 4:47 AM, Ondrej Kos wrote: > > > > Hi Dale, > > > > BaseDN shouldn't contain a dot character, could you please post your > > sssd.conf file? Sanitized, if needed. > > Also, is the version of SSSD you run same on

Re: [SSSD-users] bad basedn with autofs in sssd

On Wed, Sep 11, 2013 at 03:37:50PM +0200, Jakub Hrozek wrote: > > ldap_default_authtok_type = obfuscated_passwordldap_default_authtok = XX Also not sure if this is just a copy&paste error, but these two parameters need to be on sepa

Re: [SSSD-users] bad basedn with autofs in sssd

On Wed, Sep 11, 2013 at 09:47:19AM -0400, Dale Harris wrote: > On Wed, Sep 11, 2013 at 9:37 AM, Jakub Hrozek wrote: > > > > I think you just need to drop the quotes. Instead of: > > ldap_autofs_search_base="o=nycornell.org" > > use: > > ldap_autofs_se

Re: [SSSD-users] bad basedn with autofs in sssd

On Wed, Sep 11, 2013 at 09:59:14AM -0400, Dale Harris wrote: > On Wed, Sep 11, 2013 at 9:53 AM, Jakub Hrozek wrote: > > > > Can you link the docs? We need to fix them. > > Here it is: > > https://access.redhat.com/site/documentation//en-US/Red_Hat_Enterprise_Linux/6

Re: [SSSD-users] Need help configuring fine grained password policy enforcement on RHEL6 using sssd

On Wed, Sep 11, 2013 at 06:25:25PM +, Bright, Daniel wrote: > I was told by the good folks at the 389-users mailing list to instead > redirect my question to the sssd-users list so here goes, thanks in advance! > > All, > > I am in the process of moving away from pam_ldap and on to pam_sss.

Re: [SSSD-users] Need help configuring fine grained password policy enforcement on RHEL6 using sssd

On Wed, Sep 11, 2013 at 05:02:41PM -0400, Dmitri Pal wrote: > On 09/11/2013 04:06 PM, Bright, Daniel wrote: > > > > Jakub, > > > > > > > > Thanks for the quick response, to answer your question I am using the > > built-in password policy features of 389-ds that allows us to use > > these features

Re: [SSSD-users] Ubuntu Saucy sssd-1.11.0 not starting

> root@saucy:/var/lib/sss# aptitude show libini-config2 > E: Unable to locate package libini-config2 > > Longina > > -Original Message- > From: sssd-users-boun...@lists.fedorahosted.org > [mailto:sssd-users-boun...@lists.fedorahosted.org] On Behalf Of Jakub Hrozek

Re: [SSSD-users] Ubuntu Saucy sssd-1.11.0 not starting

On Thu, Sep 12, 2013 at 01:11:26PM +0200, Jakub Hrozek wrote: > On Tue, Sep 10, 2013 at 02:28:36PM +, Longina Przybyszewska wrote: > > root@saucy:/var/lib/sss# aptitude show libini-config3 > > Package: libini-config3 > > State: installed > > A

Re: [SSSD-users] Need help configuring fine grained password policy

On Thu, Sep 12, 2013 at 02:02:12PM +, Bright, Daniel wrote: > Jakub, I took your advice and turned debugging to level 9, this is what I am > seeing in the logs: > > === > [r...@some.server.com

Re: [SSSD-users] Need help configuring fine grained password policy

On Thu, Sep 12, 2013 at 03:21:51PM -0400, Dmitri Pal wrote: > On 09/12/2013 03:14 PM, Bright, Daniel wrote: > > > > Jakub, > > > > > > > > Thanks for the response, I figured out why I was getting the > > constraint violation, in my case it was because I have the > > “passwordminage” set for my po

Re: [SSSD-users] how do I restrict access when access_provider = ad ?

On Mon, Sep 09, 2013 at 09:57:35AM -0700, Doug Clow wrote: > Thank you Jakub, > > Those settings you gave me to minimally add back the ldap access_provider > worked perfectly. All is working well again! > > Best, > Doug > > Hi Doug, I'm glad the access control is working for you now. We wer

Re: [SSSD-users] how do I restrict access when access_provider = ad ?

On Fri, Sep 13, 2013 at 03:04:42PM +0200, Jakub Hrozek wrote: > On Mon, Sep 09, 2013 at 09:57:35AM -0700, Doug Clow wrote: > > Thank you Jakub, > > > > Those settings you gave me to minimally add back the ldap access_provider > > worked perfectly. All is workin

Re: [SSSD-users] Need help configuring fine grained password policy

On Fri, Sep 13, 2013 at 02:03:07PM +, Bright, Daniel wrote: > I did not see any extended error messages in the debug logs, actually I > am using Oracle Enterprise Linux 6 (OEL6) so the version of sssd I am on > is 1.9.2-82.7, it looks like the fix that you spoke about earlier is in > 1.10.1x an

Re: [SSSD-users] authenticating against all sub-domains in AD forest

On Mon, Sep 16, 2013 at 01:17:22PM +, a t wrote: > Hi, > > I am testing find a standard config for Linux authentication against Active > Directory and I am testing with Centos 6. I have decided on a > SSSD/Kerberos/LDAP configuration as described in RedHats "Integrating Red Hat > Enterprise

Re: [SSSD-users] authenticating against all sub-domains in AD forest

On Mon, Sep 16, 2013 at 01:45:17PM +, a t wrote: > > > > Date: Mon, 16 Sep 2013 15:22:47 +0200 > > From: jhro...@redhat.com > > To: sssd-users@lists.fedorahosted.org > > Subject: Re: [SSSD-users] authenticating against all sub-domains in AD > > forest > > > > On Mon, Sep 16, 2013 at 01:17:2

Re: [SSSD-users] Active Directory parent-child trust

On Mon, Sep 16, 2013 at 07:31:13PM +0200, Alfredo Colangelo wrote: > Hello List, > > I've built sssd-1.11.90 from git source for a CentOS 6.4 server. I want to > set up a connection with SSSD to 2 Active Directory domains (both Windows > 2003 functional level), parent and child, so they have a par

Re: [SSSD-users] how do I restrict access when access_provider = ad ?

On Mon, Sep 16, 2013 at 10:34:58AM -0700, Doug Clow wrote: > Hi Jakub, > > I would definitely use that ad_access_filter feature. In fact that is how I > expected it was going to work and tried it out originally. Great, thank you! I flagged your e-mail so that I ping you when the new feature is

Re: [SSSD-users] Ubuntu Saucy sssd-1.11.0 not starting

On Tue, Sep 17, 2013 at 09:13:23AM +, Longina Przybyszewska wrote: > Some more debugging output: > > root@saucy:/etc/sssd# sssd -i -d 9 -c /etc/sssd/sssd.conf > (Mon Sep 16 20:21:20:853610 2013) [sssd] [check_file] (0x0400): lstat for > [/var/run/nscd/socket] failed: [2][No such file or direc

Re: [SSSD-users] authenticating against all sub-domains in AD forest

On Tue, Sep 17, 2013 at 01:50:15PM +, a t wrote: > > > > Date: Mon, 16 Sep 2013 15:59:09 +0200 > > From: jhro...@redhat.com > > To: sssd-users@lists.fedorahosted.org > > Subject: Re: [SSSD-users] authenticating against all sub-domains in AD > > forest > > > > On Mon, Sep 16, 2013 at 01:45:1

Re: [SSSD-users] sssd, autofs and active directory [SOLVED]

ng attrs: > >>>[automountMapName] > >>>(Mon Sep 16 15:10:50 2013) [sssd[be[example.com]]] > >>>[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 8 > >>>(Mon Sep 16 15

Re: [SSSD-users] sssd, autofs and active directory [SOLVED]

On Wed, Sep 18, 2013 at 10:02:46AM +0100, Rowland Penny wrote: > The only change I made was in /etc/default/autofs, I changed: > > MASTER_MAP_NAME="OU=auto.master,OU=automount,DC=home,DC=lan" > > To: > Ah, I know what's going on, sorry for the confusion. tl;dr - your config is correct. > MAST

Re: [SSSD-users] Ubuntu Saucy sssd-1.11.0 not starting

On Wed, Sep 18, 2013 at 10:00:15AM +, Longina Przybyszewska wrote: > Hi, > I have a fresh install of Saucy (VM in Virtualbox), sssd is installed as > binary package available in distribution. > > To be sure, I uninstalled sssd and installed it again. > > To be sure that sssd.conf works, I s

Re: [SSSD-users] ssh openldap and sssd

On Wed, Sep 18, 2013 at 04:12:24PM +0200, Olivier wrote: > Ok : I found where was my mistake : > > This is wrong: > > ldap_user_ssh_public_key = True > > This is the right config : > ldap_user_ssh_public_key = sshPublicKey > > Now it works ! > > Thanks to Mathieu : > http://blog.mlemoine.name

Re: [SSSD-users] authenticating against all sub-domains in AD forest

On Wed, Sep 18, 2013 at 11:55:52AM +, a t wrote: > > > > > > > Date: Wed, 18 Sep 2013 10:34:03 +0200 > > From: jhro...@redhat.com > > To: sssd-users@lists.fedorahosted.org > > Subject: Re: [SSSD-users] authenticating against all sub-domains in AD > > forest > > > > On Tue, Sep 17, 2013 a

Re: [SSSD-users] sssd and sudo

On Sat, Sep 21, 2013 at 03:38:30PM +0100, Rowland Penny wrote: > OK, I have now got sssd to cache the sudo rules from AD, I found out > that you must have 'defaults' in the AD database, I didn't and > thought you could just use the defaults on the client. > > Now, even though sssd has cached the r

Re: [SSSD-users] Ubuntu Saucy sssd-1.11.0 not starting

On Thu, Sep 19, 2013 at 10:42:12AM +0200, Jakub Hrozek wrote: > On Wed, Sep 18, 2013 at 10:00:15AM +, Longina Przybyszewska wrote: > > Hi, > > I have a fresh install of Saucy (VM in Virtualbox), sssd is installed as > > binary package available in distribution. &

Re: [SSSD-users] authenticating against all sub-domains in AD forest

On Mon, Sep 23, 2013 at 03:10:45PM +, a t wrote: > > > > Date: Fri, 20 Sep 2013 14:44:49 +0200 > > From: jhro...@redhat.com > > To: sssd-users@lists.fedorahosted.org > > Subject: Re: [SSSD-users] authenticating against all sub-domains in AD > > forest > > > > On Wed, Sep 18, 2013 at 11:55:5

Re: [SSSD-users] sssd.conf, authconfig and ldap_uri

On Wed, Sep 25, 2013 at 11:42:15AM +0200, Olivier wrote: > Hello everyone, > > I launch "authconfig" within a script to setup my redhat6 boxes. > > I noticed that authconfig does not set up sssd.conf properly : > https://bugzilla.redhat.com/show_bug.cgi?id=874527 > > but the bug is declared as "

Re: [SSSD-users] sssd.conf, authconfig and ldap_uri

On Wed, Sep 25, 2013 at 08:22:57PM +0200, Michael Ströder wrote: > Hmm, I really wonder why SRV RRs are recommended over having a single service > CNAME RR and maybe several A/ RRs? In my opinion, the biggest advantages are centrally defined failover using the "priority field" and the ability

Re: [SSSD-users] sssd.conf, authconfig and ldap_uri

On Wed, Sep 25, 2013 at 09:00:42PM +0200, Michael Ströder wrote: > Jakub Hrozek wrote: > > On Wed, Sep 25, 2013 at 08:22:57PM +0200, Michael Ströder wrote: > >> Hmm, I really wonder why SRV RRs are recommended over having a single > >> service > >> C

Re: [SSSD-users] renewal of krb5 tickets created outside SSSD

On Thu, Sep 26, 2013 at 10:23:54AM +0100, Michael Gliwinski wrote: > On Wednesday 25 Sep 2013 13:59:31 Dmitri Pal wrote: > > On 09/25/2013 09:41 AM, Stephen Gallagher wrote: > > > On 09/25/2013 08:40 AM, Michael Gliwinski wrote: > > > > Hi all, > > > > > > > > Currently SSSD (when configured with

Re: [SSSD-users] sssd.conf, authconfig and ldap_uri

On Thu, Sep 26, 2013 at 11:00:00AM +0200, Olivier wrote: > Hello Jakub and all, > > may be the following could help : to be honnest, from an operational point > of view > I like the centralisation perspective offered by DNS discovery. > > Any comment on these test/audit are welcomed. > > for the

Re: [SSSD-users] login problem sssd-1.11.0 Ubuntu saucy

On Thu, Sep 26, 2013 at 11:46:04AM -0400, Stephen Gallagher wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 09/26/2013 11:11 AM, Longina Przybyszewska wrote: > > > > I am testing sssd-1.11.0 in Ubuntu Saucy - and have problems with > > ssh and login from GUI-login (lightdm and gd

Re: [SSSD-users] login problem sssd-1.11.0 Ubuntu saucy

On Fri, Sep 27, 2013 at 03:02:33PM +, Longina Przybyszewska wrote: > What debugging level would be reasonable? > Level 9 gives a huge file of 15mb for single login ;( > > Longina Try 6 or 7 for a start. ___ sssd-users mailing list sssd-users@lists.f

[SSSD-users] Announcing SSSD 1.11.1

that server side password policies always takes precedence https://fedorahosted.org/sssd/ticket/2093 sssd should write capaths for IPA trusted forests' subdomains == Detailed Changelog == Jakub Hrozek (24): * Updating the version for 1.11.1 release * PROXY: Handle empty GECOS

Re: [SSSD-users] authenticating against all sub-domains in AD forest

On Tue, Sep 24, 2013 at 11:02:48AM +, a t wrote: > > Hi, > > please see logs attached. (couldn't upload logs as they were too large so i > hope a tar.gz gets through). I stopped sssd, deleted logs and started sssd. > Then ran the commands below; > > ssh B\\test.user@localhost - run at (Tue

Re: [SSSD-users] authenticating against all sub-domains in AD forest

On Sun, Sep 29, 2013 at 02:41:11PM +0100, a t wrote: > Hi, > > That user, test.user, is in the subdomain a.domain.org. > > Thr logs mark domain.org as a subdomain of b.domain.org. however, this is not > correct - domain.org is the root domain of which b.domain.org is a subdomain. > We do not ha

Re: [SSSD-users] sssd 1.11 (F19) & AD not working

On Wed, Oct 09, 2013 at 09:08:05AM +0200, Sumit Bose wrote: > On Tue, Oct 08, 2013 at 11:33:45PM +, Ondrej Valousek wrote: > > Looks like this only happens if I specify the ad_server manually. If I let > > sssd do the DNS SRV discovery, it works OK. > > I still think it should work OK if I spe

Re: [SSSD-users] Home Directory not being created

On Wed, Oct 09, 2013 at 11:25:51AM -0400, Chris Hartman wrote: > I'm having a problem getting pam_mkhomedir.so to make a user's home > directory when it's specified using an LDAP attribute. The backend > directory server is AD on Server 2008. The client is Ubuntu 12.04, sssd > version 1.11.1. > >

Re: [SSSD-users] lines beginning with spaces in sssd.conf

On Wed, Oct 09, 2013 at 02:03:00PM -0400, Stephen Gallagher wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 10/09/2013 01:22 PM, Dmitri Pal wrote: > > On 10/09/2013 01:05 PM, Ondrej Valousek wrote: > >> Hi List, > >> > >> I have noticed that since F19 I can not use lines beginning

Re: [SSSD-users] lines beginning with spaces in sssd.conf

On Thu, Oct 10, 2013 at 10:54:59AM +0200, Jakub Hrozek wrote: > On Wed, Oct 09, 2013 at 02:03:00PM -0400, Stephen Gallagher wrote: > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA1 > > > > On 10/09/2013 01:22 PM, Dmitri Pal wrote: > > > On 10/09/2013 01:05

Re: [SSSD-users] lines beginning with spaces in sssd.conf

On Thu, Oct 10, 2013 at 01:48:24PM -0400, Simo Sorce wrote: > On Thu, 2013-10-10 at 11:22 +0200, Jakub Hrozek wrote: > > On Thu, Oct 10, 2013 at 10:54:59AM +0200, Jakub Hrozek wrote: > > > On Wed, Oct 09, 2013 at 02:03:00PM -0400, Stephen Gallagher wrote: > > > >

Re: [SSSD-users] lib_sssd missing in redhat6

On Thu, Oct 17, 2013 at 05:03:32PM +0200, Lukas Slebodnik wrote: > On (17/10/13 16:21), Olivier wrote: > >Hello, > > > >FYI : https://bugzilla.redhat.com/show_bug.cgi?id=1020366 > > > >Best > > > > It isn't a bug, but it was very confusing for a lot of users. > > Therefore libsss_sudo.so was move

Re: [SSSD-users] lib_sssd missing in redhat6

On Thu, Oct 17, 2013 at 06:10:07PM +0200, Olivier wrote: > Ok, thanks. > > it's not yet in my "official" redhat6 repository then. > > (curently : sssd-1.9.2-82.7.el6_4.x86_64) > > --- So yum list libsss_sudo shows nothing? What RHN channels is the system subscribed to?

Re: [SSSD-users] Problems with sssd 1.11.1 on ubuntu 13.10

On Wed, Oct 23, 2013 at 11:15:13AM +0200, Melvin Williams wrote: > unix:path=/var/lib/sss/pipes/private/sbus-dp_DOMAIN.6506,guid=d80dc5947470b79adedf926e52678695 > (Wed Oct 23 10:19:33 2013) [sssd[be[DOMAIN]]] [sbus_add_watch] (0x2000): > 0x1216e50/0x1201dd0 (15), R/- (enabled) > (Wed Oct 23 10:19:

Re: [SSSD-users] GDM login

On Thu, Oct 24, 2013 at 09:59:50AM +0100, Roberts Klotiņš wrote: > Hello, > > After 2 days of reading on Samba4 SSSD and AD login I am running into > problems. I have set up > - AD server with Samba 4.2 (CentOS 6.3) - domain PEOPLE.LOCAL > - Fedora 19 machine > - Windows XP machine joined the dom

Re: [SSSD-users] sssd-users Digest, Vol 18, Issue 25

On Thu, Oct 24, 2013 at 02:01:11PM +0100, Roberts Klotiņš wrote: > Hi Thanks a lot for looking into this. > > As you suspected - there is something that enterprise simple login added > into the config file file: > > [sssd] > services = nss, pam > config_file_version = 2 > domains = PEOPLE > > [n

Re: [SSSD-users] sssd-users Digest, Vol 18, Issue 25

On Fri, Oct 25, 2013 at 02:25:04AM +0100, Roberts Klotiņš wrote: > Hi again, still trying to understand how to make the setup to work. > > As the very last thing I thought to check into /etc/sysconfig/authconfig. > What I found was that usekerberos and useldap were set to no. Maybe they > (or at l

Re: [SSSD-users] sssd-users Digest, Vol 18, Issue 25

On Fri, Oct 25, 2013 at 09:58:48AM +0200, Jakub Hrozek wrote: > On Fri, Oct 25, 2013 at 02:25:04AM +0100, Roberts Klotiņš wrote: > > Hi again, still trying to understand how to make the setup to work. > > > > As the very last thing I thought to check into /etc/sysconfig/a

Re: [SSSD-users] access_provider = simple or pam_access

On Fri, Oct 25, 2013 at 03:10:34PM +0100, Michael Gliwinski wrote: > Hi all, > Hi Michael, sorry for the late reply, most of the team was busy prepairing the 1.11.2 release. > I was just looking at various access control methods and reading through > https://fedorahosted.org/sssd/wiki/DesignDoc

Re: [SSSD-users] SSSD - GDM login

On Fri, Oct 25, 2013 at 02:52:24AM +0100, Roberts Klotiņš wrote: > Hi Many thanks. I attaching the files as otherwise the one that relates to > the domain is very large. Curiously though the krb5_child.log is empty (0 > bytes) "so it will not be attached". > > And I apologize for not paying attent

Re: [SSSD-users] sssd performance problem

On Wed, Oct 30, 2013 at 12:18:44PM +0200, Sami K wrote: > Hello, > > We have been lately having big problems with sssd caching. On our ssh > servers, (each with ~100-200 users) login may take several minutes as the > sssd_be -process uses 100% cpu time and sssd_be -process may be in this > state f

[SSSD-users] Announcing SSSD 1.11.2

in members from different domains == Detailed Changelog == Jakub Hrozek (23): * Updating the version for the 1.11.2 release * krb5: Fix unit tests * INI: Disable line-wrapping functionality * KRB5: Return PAM_ACCT_EXPIRED when logging in as expired AD user * PROXY: Fix memory hierarchy w

Re: [SSSD-users] SSSD with id_provider ldap and auth_provider krb5-ad

On Thu, Oct 31, 2013 at 03:04:39PM +0100, Pieter Baele wrote: > Hello everyone, > > I made a configuration where I use Active Directory Kerberos as > authentication source, > but OpenDJ LDAP (Forgerock) as id_provider, sudo_provider etc > > I configured everything using the excellent tool msk

Re: [SSSD-users] sssd access to server with read only root

On Thu, Oct 31, 2013 at 05:50:10PM +, Chris Petty wrote: > > I guess i naively thought i needed it, but i removed the pam_krb libs from > all the system/password auth sections of test machines and things still work > as normal. > > I still get the same errors on the ro-root machine however:

Re: [SSSD-users] AD provider uses wrong user attribute?

On Fri, Nov 01, 2013 at 09:36:05AM +, Ondrej Valousek wrote: > Hi List, > > Looks like the AD provider in sssd honors sAMAccountname attribute instead of > the 'uid' (which is more in line with the RFC2307). > Is this intentional or a bug? > > Thanks, > Ondrej Intentional, is UID guaranteed

Re: [SSSD-users] AD provider uses wrong user attribute?

On Fri, Nov 01, 2013 at 11:21:10AM +, Ondrej Valousek wrote: > In ADUC, if you tick on User "Unix attributes" and populate it, uid is > automatically set on. > Not sure if Samba even populates RFC attributes - guess you need to use > ldap_id_mapping=true w/ Samba. > Ondrej But using UNIX att

Re: [SSSD-users] sssd performance problem

On Fri, Nov 01, 2013 at 08:03:47PM +0200, Sami K wrote: > Thank you for all the comments and suggestions, > > 2013/10/30 Jakub Hrozek > >On Wed, Oct 30, 2013 at 12:18:44PM +0200, Sami K wrote: > >> Any idea when would RHEL6 sssd be rebased? > > Not in RHEL-6.5 :

[SSSD-users] Announcing SSSD 1.9.6

https://fedorahosted.org/sssd/ticket/1892 In IPA AD trust setup, the sssd logs throws 'sysdb_search_user_by_name failed' error when AD user tries to login via ipa client. https://fedorahosted.org/sssd/ticket/2126 sssd_be segfault when authenticating against active director

Re: [SSSD-users] ldap authentication

On Fri, Dec 06, 2013 at 10:43:58AM +0200, Dan Candea wrote: > Hello > > Could someone point me in the right direction with what is wrong > here, please? Thank you for any hint. > > I want to make ldap authentication without kerberos ( > access_provider = ldap ) > TLS/SSL encryption channel is fin

Re: [SSSD-users] sssd uid on broken ldap implementation

On Fri, Nov 29, 2013 at 03:17:44PM +0100, Ben Morrice wrote: > Hello, > > I am trying to use sssd in our environment where unfortunately we > have a broken ldap implementation with no options to fix it. > > We have an openldap implementation where our 'uid' field can contain > many attributes, so

Re: [SSSD-users] ldap authentication

On Fri, Dec 06, 2013 at 11:13:16AM +0200, Dan Candea wrote: > On 12/06/2013 11:01 AM, Jakub Hrozek wrote: > >On Fri, Dec 06, 2013 at 10:43:58AM +0200, Dan Candea wrote: > >>Hello > >> > >>Could someone point me in the right direction with what is wrong >

Re: [SSSD-users] ldap authentication

On Mon, Dec 09, 2013 at 11:54:59AM +0200, Dan Candea wrote: > On 12/09/2013 11:00 AM, Jakub Hrozek wrote: > >When performing the LDAP password bind, the user's full DN is used to > >bind. According to the logs you sent earlier, this would be > >CN=MyUser,CN=Users,DC=

Re: [SSSD-users] sssd sudo ldap with new AD provider

On Mon, Dec 09, 2013 at 09:47:48PM -0600, Aaron Johnson wrote: > My sssd.conf is as follows (I have had to improvise as I have not > found any solid documentation on how to do this using the new AD > provider...): Hi Aaron, I believe your config can be trimmed further. The AD provider already def

Re: [SSSD-users] sssd sudo ldap with new AD provider

On Tue, Dec 10, 2013 at 06:41:23AM -0600, Aaron Johnson wrote: > >On Mon, Dec 09, 2013 at 09:47:48PM -0600, Aaron Johnson wrote: > >>My sssd.conf is as follows (I have had to improvise as I have not > >>found any solid documentation on how to do this using the new AD > >>provider...): > >Hi Aaron,

Re: [SSSD-users] ldap authentication

On Tue, Dec 10, 2013 at 04:57:47PM +0200, Dan Candea wrote: > On 12/09/2013 07:00 PM, Lukas Slebodnik wrote: > >I would suggest to configure sssd against AD with relamd. > >debian >= jessie and ubuntu >= raring contain this package. > > > >http://packages.debian.org/jessie/realmd > >http://packages

Re: [SSSD-users] Long hostname

On Wed, Dec 11, 2013 at 09:26:23AM +0100, Sumit Bose wrote: > To avoid setting ldap_sasl_authid/ad_hostname in your case we can cut > the hostname after 15 characters if we fail to get a TGT with the > original request. Would you like to open a RFE about it? btw realmd already cuts the first 15 ch

Re: [SSSD-users] ldap authentication

On Wed, Dec 11, 2013 at 09:50:51AM -0500, Simo Sorce wrote: > Arbitrary attributes are not synced to the GC tree, so you either need > to prevent SSSD from reading from the GC or change the AD configuration > to sync that attribute to the GC. btw I have a local patch with a new option to disable G

Re: [SSSD-users] kinit: Client not found in Kerberos database

On Wed, Dec 18, 2013 at 09:42:48AM +0100, Sumit Bose wrote: > On Wed, Dec 18, 2013 at 12:54:37AM +, Bryan Harris wrote: > > Hello all, > > > > I was wondering if someone would be able to help me track down where I went > > wrong with a 2008 R2 AD > Linux sssd configuration.  I am following th

Re: [SSSD-users] kinit: Client not found in Kerberos database

Sender: sssd-users-boun...@lists.fedorahosted.org On-Behalf-Of: jhro...@redhat.com Subject: Re: [SSSD-users] kinit: Client not found in Kerberos database Message-Id: <20131218093528.gc32...@hendrix.redhat.com> Recipient: cklopotow...@crabel.com --- Begin Message --- On Wed, Dec 18, 2013 at 09:42:48

Re: [SSSD-users] How to deal with non rfc2307 compliant schemas? (without posixAccount)

On Wed, Dec 18, 2013 at 04:25:22PM -0500, Jason Voorhees wrote: > Hi, this is my first post to this group, I hope someone can help me. > > I'm interested to map ID mapping and authentication from a LDAP Server > in a CentOS 6.5 box. > The LDAP Server (running IBM TDS afaik) is managed by a third p

Re: [SSSD-users] How to deal with non rfc2307 compliant schemas? (without posixAccount)

On Wed, Dec 18, 2013 at 04:49:51PM -0500, Jason Voorhees wrote: > Hi Jason, > > > > I think we need a little more information. Can you post a result of an > > ldapsearch of a sample user (feel free to rename and obfuscate the > > entry). > > > Thanks, that's a good idea. The contents of an example

Re: [SSSD-users] sssd and sudo timeouts, ldap queries

On Thu, Dec 19, 2013 at 11:42:54AM -0500, Dmitri Pal wrote: > I do not think it searches for sudo information. On every login SSSD > refreshes data about user and groups to be able to serve most recent > information about a user. > The volume of the searches is probably related to the resolution of

Re: [SSSD-users] kinit: Client not found in Kerberos database

On Wed, Dec 18, 2013 at 11:11:12PM +, Bryan Harris wrote: > Hello all, > > I wasn't sure who to reply to so here goes.  I have tried an alternative > method of kinit arguments, and received a ticket back this time.  I just > wanted to mention it and show the output, even though it seems now

Re: [SSSD-users] kinit: Client not found in Kerberos database

On Wed, Dec 18, 2013 at 10:38:39PM +, Bryan Harris wrote: > Hi Jakub, > > On Dec 18, 2013, at 03:35 AM, Jakub Hrozek wrote: > > On Wed, Dec 18, 2013 at 09:42:48AM +0100, Sumit Bose wrote: > On Wed, Dec 18, 2013 at 12:54:37AM +, Bryan Harris wrote: > >Here is

[SSSD-users] Announcing SSSD 1.11.3

ain-local scope should be filtered out for trusted domains == Detailed Changelog == Aron Parsons (1): * do not use default_domain_suffix with autofs Jakub Hrozek (14): * Updating the version for the 1.11.3 release * Initialize sid_str to NULL to avoid freeing random data * LDA

Re: [SSSD-users] sssd and sudo timeouts, ldap queries

On Thu, Dec 19, 2013 at 06:48:41PM +, Chris Petty wrote: > > Here is what was printed to the sssd_nss log at level 5 when i ran a > sudo command. > > Also, the full sssd.conf that i am currently running on this machine. > > -chris > Seems like there is a lot of requests coming in for group

Re: [SSSD-users] Found an old sssd running

On Fri, Jan 03, 2014 at 12:07:55AM +, Bryan Harris wrote: > I enabled logging but no logs were created.   So because of that, I ran sssd > myself with the -i option to see the output.  This is the type of stuff I'm > seeing. > > [sssd] [sbus_remove_timeout] (8): 0x2401540 > [sssd] [sbus_disp

Re: [SSSD-users] sdap_save_user save user SID issue

On Fri, Jan 10, 2014 at 01:57:07AM -0800, Chris Gray wrote: > All of my providers are AD; ID, access, auth and chgpass. I use the AD > provider for all 4 settings in 1.9 as well, seems to work fine. > > I have my ldap_id_mapping set to true. > > So, neither of those existing issues fit my setup,

Re: [SSSD-users] SSSD with 389DS

On Thu, Jan 16, 2014 at 11:29:53AM +0100, Mitja Mihelič wrote: > Hi! > > We are running a CentOS6 server using SSSD that connects to 389DS > containing 70k user entries. Both servers are fully updated. > SSSD and 389DS package versions: > sssd-1.9.2-129.el6_5.4.x86_64 > 389-ds-base-1.2.11.15-31.el

Re: [SSSD-users] SSSD with 389DS

On Thu, Jan 16, 2014 at 04:16:32PM +0100, Mitja Mihelič wrote: > >Can it be due to group membership refresh? > >Do you have a group that all 70K users are in? > All users except 27 out of 70k are members of the same group. The > group is defined locally in /etc/group. > In /etc/nsswitch.conf we hav

Re: [SSSD-users] sssd upstart in Saucy

On Thu, Jan 23, 2014 at 01:33:12PM +0100, Lukas Slebodnik wrote: > On (23/01/14 11:20), Longina Przybyszewska wrote: > >Hi, > >I run into start up problem after removing directories /var/log/sssd and > >/var/lib/sss - as I wanted clean startup. > You should not remove content of direcory /var/li

Re: [SSSD-users] sssd upstart in Saucy

On Thu, Jan 23, 2014 at 12:53:54PM +, Longina Przybyszewska wrote: > Thanks, > It worked with creating directories as Lukas suggested and one more: > > mkdir /var/lib/sss/pipes/private > > Longina I'm glad it worked! btw the reason I suggested to use distro tool was that mkdir would just cr

Re: [SSSD-users] sssd-1.11.1 in Saucy

On Fri, Jan 24, 2014 at 10:42:34AM +, Longina Przybyszewska wrote: > I tried sssd in Ubuntu-Saucy ,clean installation, AD provider. > > "+" sides: > -can join AD with 'realm' : > -auto created krb5.keytab for computer > -auto created DNS entries for computer > > "-" sides: > -sssd on start

Re: [SSSD-users] sssd-1.11.1 in Saucy: adcli or realm

On Mon, Jan 27, 2014 at 10:30:28AM +, Longina Przybyszewska wrote: > What is the preferable way for joining AD for sssd client machine - 'adcli > join' or 'realm join' ? realm join > > 'realm discover' says it requires 'adcli' package does it mean that 'realm' > self uses it? Yes, adcli

Re: [SSSD-users] sssd-1.11.1 in Saucy

On Fri, Jan 24, 2014 at 11:54:18AM +, Longina Przybyszewska wrote: > Ups. I just run into another strange problem - can not start sssd with > working previously sssd.conf. > This is my laptop - I worked at home yesterday, on my local account and home > wireless network; > At work, I turned of

Re: [SSSD-users] sssd-1.11.1 in Saucy - GUI login problem[splved]

On Tue, Jan 28, 2014 at 11:56:01AM +, Longina Przybyszewska wrote: > I have figured out that missing homdir is the problem with login > adu...@domain.com from GUI. > > > Best, > Longina Glad it works now. For future reference, you can use parameters like fallback_homedir or override_homedi

Re: [SSSD-users] sssd-1.11.1 in Saucy - GUI login problem[splved]

On Tue, Jan 28, 2014 at 02:26:06PM +, Longina Przybyszewska wrote: > I have both options 'fallback_homedir, override_homedir'- but the options > don't install missing homedir. > I have to add 'pam_mkhomedir.so' reference to pam.d/common-session, for get > > home directory installed on f

Re: [SSSD-users] Connection to ad via ldap failing

On Tue, Jan 28, 2014 at 11:07:03PM +, Nordgren, Bryce L -FS wrote: > Well, I guess the title is a little misleading. The ldap connection is > working like a champ. I configured sssd to bind using my own credentials, and > that's working. The searches are successful and return the correct resu

Re: [SSSD-users] sssd-1.11.1 Saucy automount

On Wed, Jan 29, 2014 at 11:24:09AM +, Longina Przybyszewska wrote: > I would like get access to nfs- and cifs shares. > Sssd is configured with ad provider. > Is it possible to mount cifs share and nfs share on demand with > sssd and autofs service? > > Med venlig hilsen I think there are s

Re: [SSSD-users] Connection to ad via ldap failing

On Wed, Jan 29, 2014 at 05:28:10PM +, Nordgren, Bryce L -FS wrote: > > > > -Original Message- > > On Tue, Jan 28, 2014 at 11:07:03PM +, Nordgren, Bryce L -FS wrote: > > > I think the most important log would be the one from the back end, > > generated by including debug_level in

Re: [SSSD-users] Connection to ad via ldap failing

On Wed, Jan 29, 2014 at 11:14:01PM +, Nordgren, Bryce L -FS wrote: > > > > > I think the most important log would be the one from the back end, > > > > generated by including debug_level in the [domain] section. > > > > > > Ok. Will try it. > > Attached. Log contains sssd restart as well as a

Re: [SSSD-users] Connection to ad via ldap failing

On Wed, Jan 29, 2014 at 11:18:33PM +, Nordgren, Bryce L -FS wrote: > > > > > > I think the most important log would be the one from the back end, > > > > > generated by including debug_level in the [domain] section. > > Oh...I noticed that according to the man page, "debug_level" is listed as

Re: [SSSD-users] Connection to ad via ldap failing

On Thu, Jan 30, 2014 at 01:03:35AM -0800, Chris Gray wrote: > Use msktutil to join the pc to the AD domain, or create the krb5.keytab > file on your domain controller and move it to the pc running fedora, if you > do that, be sure to tell selinux to accept the foreign file. > > Chris With recent

<    1   2   3   4   5   6   7   8   9   10   >