[SSSD-users] Re: 'root' users are not listed in 'getent passwd' command

On Tue, Jun 27, 2017 at 11:12:52AM -0700, kedar sirshikar wrote: > Hi Team, > I have integrated 'sssd' with ldap server. > I am using 'getent passwd' command to see all users from local and ldap. > I am able to see all users from local. For LDAP, I am only seeing users > which are not

[SSSD-users] Re: Can SSSD query users from a domain different than the one computer has joined?

On Tue, Jun 27, 2017 at 01:35:18PM -0400, Abhijit Tikekar wrote: > > > > > Hi, > > > > We are running into some SSSD authentication issues and would really > > appreciate any advice. Here’s some background: > > > > Until now, all CentOS machines which use SSSD were joined to the same > >

[SSSD-users] Re: Using SSSD with a forest trust model

On Tue, Apr 25, 2017 at 12:37:50PM -, k...@unwire.dk wrote: > Hi. > > I have the following scenario : > > -'example.com' domain running on premises > -'aws.example.com' domain running on 'Amazon Microsoft AD' in VPC with VPN > connection to on premises. > - One-way trust created from

[SSSD-users] Re: Using SSSD with a forest trust model

On Wed, Apr 26, 2017 at 07:55:38AM -, k...@unwire.dk wrote: > Hi Jakub. > > Thank you for quick response. > I still believe i´m in same forest(correct me if i´m wrong), but using a > trust. Is trusts not supported at all in SSSD? Trusted domains in a single forest are. If the domains are

[SSSD-users] Re: session setup failed: NT_STATUS_NO_LOGON_SERVERS

On Wed, Apr 26, 2017 at 09:42:17PM +, Galen Johnson wrote: > I was going to point you to the troubleshooting doc at > fedorahosted.org/sssd/wiki/Troubleshooting but since that site points you to > pagure.io and the links on pagure.io point you back there, I'm not sure where > to look for

[SSSD-users] Re: 'no primary group ID provided' when trying to use ldap mode against AD

On Mon, Apr 24, 2017 at 06:45:20PM -, maar...@datastorm.nl wrote: > Hello, > > I am desperately looking for a working sssd.conf file for LDAP AD interaction. > Is the working sssd.conf from Daniel Hermans somewhere to be found? It looks like he just added: ldap_user_primary_group =

[SSSD-users] Re: case sensitivity

On Mon, Apr 24, 2017 at 07:18:17PM +, Galen Johnson wrote: > Hey, > > > I have a question about email logins and case sensitivity. If you configure > sssd to allow logins by email, can you set it up to be case insensitive yet > still require normal account logins to be case sensitive? We

[SSSD-users] Re: SSSD Packet Capture Samples

> On 28 Jul 2017, at 12:39, Lukas Slebodnik wrote: > > On (27/07/17 15:30), Tom Peterson wrote: >> Hi All, >> >> First off thank you for all the hard work put into SSSD! It's been a great >> piece of software to work with and seems like it has a configuration >> setting

[SSSD-users] Re: Unable to login to my kerberos realm

On Wed, Aug 02, 2017 at 11:07:08AM -0400, Louis Garcia wrote: > On Wed, Aug 2, 2017 at 8:54 AM, Jakub Hrozek <jhro...@redhat.com> wrote: > > > On Wed, Aug 02, 2017 at 02:43:35PM +0200, Jakub Hrozek wrote: > > > On Wed, Aug 02, 2017 at 09:46:43AM +0200, Lukas Slebodnik

[SSSD-users] Re: Unable to login to my kerberos realm

On Wed, Aug 02, 2017 at 09:46:43AM +0200, Lukas Slebodnik wrote: > On (02/08/17 09:43), Jakub Hrozek wrote: > >On Tue, Aug 01, 2017 at 04:46:32PM -0400, Louis Garcia wrote: > >> In fedora 26 where should sssd.conf live? /etc/sssd/ or /etc/sssd/conf.d/ > >> ?? > >

[SSSD-users] Re: Unable to login to my kerberos realm

On Wed, Aug 02, 2017 at 02:43:35PM +0200, Jakub Hrozek wrote: > On Wed, Aug 02, 2017 at 09:46:43AM +0200, Lukas Slebodnik wrote: > > On (02/08/17 09:43), Jakub Hrozek wrote: > > >On Tue, Aug 01, 2017 at 04:46:32PM -0400, Louis Garcia wrote: > > >> In fedora 26 whe

[SSSD-users] Re: SSSD Packet Capture Samples

lore this next. > I should be able to find some time this week to generate some pcap files for > this and I will send you an update once I've got another set of captures! > Really glad that we can add something that might help!!! > > Thanks for taking a look at these! > &g

[SSSD-users] Re: Unable to login to my kerberos realm

> On 2 Aug 2017, at 20:43, Louis Garcia <louisg...@gmail.com> wrote: > > On Wed, Aug 2, 2017 at 11:42 AM, Jakub Hrozek <jhro...@redhat.com > <mailto:jhro...@redhat.com>> wrote: > On Wed, Aug 02, 2017 at 11:07:08AM -0400, Louis Garcia wrote: > > On Wed, Aug

[SSSD-users] Re: AD parent child issues

> On 3 Aug 2017, at 10:22, Tristan Bouillon > wrote: > > Thanks for your time guys. > > Looking through sssd stuff I almost forgot y main goal was to ssh to a server. > I did a little test with ssh, server and user in the same domain. > > If I do: > $ ssh

[SSSD-users] Re: AD parent child issues

ll try to give a quick look to use only short names in my > trusted domains. I think I saw something on that, domain resolution > order, but this is in the next sssd version. > > On 7 August 2017 at 17:25, Jakub Hrozek <jhro...@redhat.com> wrote: >> >> On 3 Aug 2017, at

[SSSD-users] Re: Need help with debugging curious SSSD/LDAP problem that only affects certain users.

On Fri, Aug 18, 2017 at 01:04:37PM -0400, Mark London wrote: > Hi - The old server is gone, so I can't test it. Yes, the DN contains a > space and comma for everybody, i.e. last name, first name. Right, but then it doesn't constitute a pattern of failing users vs. passing users right? > > I

[SSSD-users] Re: How often does ldap cache clear?

On Thu, Aug 17, 2017 at 03:36:20PM +1000, Lachlan Musicman wrote: > We use FreeIPA/SSSD to authenticate our RStudio Server, which we control > via HBAC membership of an AD group. > > Our users are having their sessions ended frequently - once a day or more - > with the logged message > > 17 Aug

[SSSD-users] Re: Need help with debugging curious SSSD/LDAP problem that only affects certain users.

On Thu, Aug 17, 2017 at 10:04:08PM -0400, Mark London wrote: > Hi all - Sorry to bother you with this problem that I've been working all > day to fix.I've been using SSSD on Redhat for many years, using LDAP to > authenticate a Windows domain. With a new server with Redhat 7, I'm seeing >

[SSSD-users] Re: SSSD user mailing list: Unable to login to my kerberos realm

On Fri, Aug 18, 2017 at 08:42:34AM +0200, Lukas Slebodnik wrote: > On (17/08/17 12:38), Louis Garcia wrote: > >Sorry to mail you directly but I think the sssd user mailing list is not > >accepting my emails. I replied twice to this thread yesterday and both > >bounced. > > > > I have no idea why

[SSSD-users] Re: Need help with debugging curious SSSD/LDAP problem that only affects certain users.

Aug 18, 2017, at 4:05 AM, Jakub Hrozek <jhro...@redhat.com> wrote: > > > >> On Thu, Aug 17, 2017 at 10:04:08PM -0400, Mark London wrote: > >> Hi all - Sorry to bother you with this problem that I've been working all > >> day to fix.I've been using SSSD

[SSSD-users] Re: sAMAccountName with gid in requests

On Mon, May 15, 2017 at 01:15:33PM +0200, Sébastien QUESSON wrote: > Hi, on sssd 1.13.4-1ubuntu1.5: > looking at sssd_domain.tls.log with debug level 9, I can see many wrong group > requests. > > After flushing ssd cache and restarting: > [sdap_get_generic_ext_step] (0x0400): calling

[SSSD-users] Re: login hangs with enumerate = true

On Mon, Jun 12, 2017 at 01:53:27PM +, Joakim Tjernlund wrote: > On Sun, 2017-06-11 at 20:55 +0200, Jakub Hrozek wrote: > > On Sat, Jun 10, 2017 at 07:56:47AM +, Joakim Tjernlund wrote: > > > On Sat, 2017-06-10 at 08:24 +0200, Jakub Hrozek wrote: > > > > On F

[SSSD-users] Re: Inconsistent group membership

On Mon, Jun 12, 2017 at 12:20:24PM +, Ondrej Valousek wrote: > Hi, > > For some users I experience inconsistent group membership, i.e. "getent group > G" does not list user U as a member, but "id -a U" command shows the group G. > Is that normal or a known issue? This can be normal,

[SSSD-users] Re: login hangs with enumerate = true

On Mon, Jun 12, 2017 at 03:32:22PM +, Joakim Tjernlund wrote: > On Mon, 2017-06-12 at 16:01 +0200, Jakub Hrozek wrote: > > On Mon, Jun 12, 2017 at 01:53:27PM +, Joakim Tjernlund wrote: > > > On Sun, 2017-06-11 at 20:55 +0200, Jakub Hrozek wrote: > > > > On S

[SSSD-users] Re: login hangs with enumerate = true

On Mon, Jun 12, 2017 at 03:21:43PM +, Joakim Tjernlund wrote: > On Mon, 2017-06-12 at 16:01 +0200, Jakub Hrozek wrote: > > On Mon, Jun 12, 2017 at 01:53:27PM +, Joakim Tjernlund wrote: > > > On Sun, 2017-06-11 at 20:55 +0200, Jakub Hrozek wrote: > > > > On S

[SSSD-users] Re: login hangs with enumerate = true

On Mon, Jun 12, 2017 at 03:38:28PM +, Joakim Tjernlund wrote: > On Mon, 2017-06-12 at 17:32 +0200, Joakim Tjernlund wrote: > > On Mon, 2017-06-12 at 16:01 +0200, Jakub Hrozek wrote: > > > On Mon, Jun 12, 2017 at 01:53:27PM +, Joakim Tjernlund wrote: > > > &g

[SSSD-users] Re: autofs NFS v4.1 no longer working

On Mon, Jun 19, 2017 at 05:03:24PM +, Thomas Beaudry wrote: > ​Hi Folks.​ > > I have sssd managing autofs to mount some nfs share with v 4.1. Up until > recently it has worked flawlessly, but now it isn't working on one of my > machines. The username and group, is being being shown as:

[SSSD-users] Re: autofs NFS v4.1 no longer working

On Mon, Jun 19, 2017 at 06:10:39PM +, Thomas Beaudry wrote: > Hi, > > Well now it is working all of a sudden, and it was only that 1 machine. Very > odd. I bumped up the debug level so if it happens again I will have > something to look at then. > > I do see this message: > > > (Mon

[SSSD-users] Re: kerberos ticket not renewed in 15.2/master

On Tue, May 23, 2017 at 01:03:49PM +, Joakim Tjernlund wrote: > On Tue, 2017-05-23 at 11:40 +0200, Lukas Slebodnik wrote: > > On (23/05/17 09:19), Joakim Tjernlund wrote: > > > On Tue, 2017-05-23 at 11:07 +0200, Lukas Slebodnik wrote: > > > > On (23/05/17 08:39), Joakim Tjernlund wrote: > > >

[SSSD-users] Re: kerberos ticket not renewed in 15.2/master

On Thu, May 18, 2017 at 11:40:18AM -0400, Striker Leggette wrote: > I can understand the first unlock from waking up from sleep. For the > second, bump your debug_level in sssd.conf up to 7 and then check to see if > you have any "Got request" lines in /var/log/sssd/sssd_domain.log for the >

[SSSD-users] Re: SSSD list allowed users only

On Sat, May 27, 2017 at 07:30:29PM +0200, Lukas Slebodnik wrote: > On (27/05/17 04:29), Ali, Saqib wrote: > >Hi Lukas, > > > >We don't have freeipa. Is it possible to do host based access control using > >just ldap and sssd? > > > HBAC is implemented only with access_provider ipa. > GPO is

[SSSD-users] Re: 1.15.3/1.16 release timeframe?

On Wed, May 31, 2017 at 08:19:56AM +1000, Lachlan Musicman wrote: > Hi all, > > I noticed a while ago that 1.15.3 was versioned in the repo but I've not > seen anything released? I'm mostly looking on the COPR > ( >

[SSSD-users] Re: 1.15.3/1.16 release timeframe?

On Wed, May 31, 2017 at 10:09:26AM +0200, Lukas Slebodnik wrote: > On (31/05/17 08:19), Lachlan Musicman wrote: > >Hi all, > > > >I noticed a while ago that 1.15.3 was versioned in the repo but I've not > >seen anything released? I'm mostly looking on the COPR > >( >

[SSSD-users] Re: Is there any way to disable dns lookup or set different dns server.

On Thu, Jun 15, 2017 at 08:35:59AM -, Rishat Teregulov wrote: > All logs too big > https://contattafiles.s3-us-west-1.amazonaws.com/tnt3511/wqtpj4q4fAwIX3p/sssd.logs I see: (Thu Jun 15 08:34:24 2017) [sssd[be[AD.DOMAIN.EXAMPLE]]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error: Unspecified GSS

[SSSD-users] Re: Is there any way to disable dns lookup or set different dns server.

On Thu, Jun 15, 2017 at 06:39:30AM -, Rishat Teregulov wrote: > Is there any way to fully disable dns server lookup Just set the ad_server option: ad_server, ad_backup_server (string) The comma-separated list of hostnames of the AD servers to which SSSD should connect in

[SSSD-users] Re: Is there any way to disable dns lookup or set different dns server.

On Thu, Jun 15, 2017 at 08:03:39AM -, Rishat Teregulov wrote: > Sorry, forgot to mention. > Already done this. > Here is my sssd.conf Did you take a look into the logs to see which servers are being autodiscovered? > [sssd] > domains = AD.DOMAIN.EXAMPLE > config_file_version = 2 > services =

[SSSD-users] Re: login hangs with enumerate = true

On Fri, Jun 09, 2017 at 04:28:45PM +, Joakim Tjernlund wrote: > both 1.15.2 and git master hangs after less than 24 hour on > a server. > > I can see this repeating the domain log: > > (Fri Jun  9 18:21:49 2017) [sssd[be[infinera.com]]] [orderly_shutdown] > (0x0010): SIGTERM: killing

[SSSD-users] Re: login hangs with enumerate = true

On Sat, Jun 10, 2017 at 07:56:47AM +, Joakim Tjernlund wrote: > On Sat, 2017-06-10 at 08:24 +0200, Jakub Hrozek wrote: > > On Fri, Jun 09, 2017 at 04:28:45PM +, Joakim Tjernlund wrote: > > > both 1.15.2 and git master hangs after less than 24 hour on > > > a ser

[SSSD-users] Re: login hangs with enumerate = true

On Mon, Jun 12, 2017 at 08:29:29AM +, Joakim Tjernlund wrote: > On Mon, 2017-06-12 at 09:19 +0100, John Hodrien wrote: > > On Sun, 11 Jun 2017, Jakub Hrozek wrote: > > > > > Oh, sure. The other alternative might be to mount the cache to tmpfs. > > >

[SSSD-users] Re: login hangs with enumerate = true

On Tue, Jun 13, 2017 at 12:34:41PM +, Joakim Tjernlund wrote: > > timeout = 30 in domain section SEEMS to help, no problem since yesterday. > > What did I really do here? > > > > However, now I see that getent group/getent group is incomplete, > members are missing. > And it varies between

[SSSD-users] Re: login hangs with enumerate = true

On Tue, Jun 13, 2017 at 12:12:05PM +, Joakim Tjernlund wrote: > > It is now :) was in the wrong section before > > timeout = 30 in domain section SEEMS to help, no problem since yesterday. > What did I really do here? There is a ticket to document this better already but tl;dr there is a

[SSSD-users] Re: login hangs with enumerate = true

On Tue, Jun 13, 2017 at 06:18:24PM +, Joakim Tjernlund wrote: > On Tue, 2017-06-13 at 17:59 +0200, Jakub Hrozek wrote: > > On Tue, Jun 13, 2017 at 12:34:41PM +, Joakim Tjernlund wrote: > > > > timeout = 30 in domain section SEEMS to help, no problem since > >

[SSSD-users] Re: login hangs with enumerate = true

On Tue, Jun 13, 2017 at 06:21:28PM +, Joakim Tjernlund wrote: > On Tue, 2017-06-13 at 18:01 +0200, Jakub Hrozek wrote: > > On Tue, Jun 13, 2017 at 12:12:05PM +, Joakim Tjernlund wrote: > > > > It is now :) was in the wrong section before > > > > > &g

[SSSD-users] Re: SSSD: Cross Forest AD Trust with sssd-ad provider

On Tue, Jun 13, 2017 at 02:07:02PM +0100, Tony Barganski wrote: > H Jakub Hrozek > > I also have a use case for this. My situation is that we are building out > Linux Server environments in AWS cloud for SAP clients and want a way to have > centralised accounts for our engi

[SSSD-users] Re: Looking for wiki page

On Mon, May 01, 2017 at 03:06:02PM -, s.ques...@alkante.com wrote: > Hi, > please I searched in cached page, but I'm unable to access that documentation > that seems important to me. > Could you provide me an archive of this page? >

[SSSD-users] Re: SSSD & POSIX attrs in GC

On Fri, May 05, 2017 at 11:02:44AM +, Ondrej Valousek wrote: > Hi all, > > Simple question: > In case we not use ldap_id_mapping, does SSSD require posix attrs in GC or > not? Not require, but would open a connection to each domain DC instead of just a single connection to a GC.

[SSSD-users] Re: Fwd: SSS sudoers and Ubuntu 16.04

I'm sorry I didn't notice this mail in the moderation queue sooner.. On Mon, May 01, 2017 at 05:21:55PM -0500, Clayton Daley wrote: > Good Morning, > > We're doing some tests on Ubuntu 16.04 before upgrading and I'm having an > issue with sss (ldap) sudoers. On 14.04, everything works: > >

[SSSD-users] Re: Cannot log in via ssh due to sssd_pam system_error

First, I’m sorry your mail was stuck in moderation for so long. We receive large amount of spam lately and legitimate mails sometimes slip.. Second, you need to look into the domain logs and/or the child helpers (krb5_child, gpo_child) because that’s what emits the error. Please see

[SSSD-users] Re: SSSD Group ID Mismatch

> On 29 Aug 2017, at 16:27, Mukund wrote: > > Hi > > I am trying to configure SSSD in all the datanodes and namenodes on a HDP > cluster. Following is my config. > > The local group id and LDAP group id created by SSSD are conflicting because > of which certain

[SSSD-users] Re: sssd-ad on centos 7

On Mon, Sep 11, 2017 at 12:23:26PM +0100, John Beranek wrote: > On 1 September 2017 at 15:54, Lukas Slebodnik wrote: > > > > On (01/09/17 09:33), William Edsall wrote: > > >Had a few communications with Michal but we're still stuck. > > > > > >One issue is that we have dozens

[SSSD-users] Re: millisecond time stamps

I agree and I was pondering this for a long time but I could never think of a reasonable way that wouldn’t be too intrusive. The only way I could think of was to have a structure that would be used as a parent context of tevent requests inside SSSD and internally track request nesting. But

[SSSD-users] Re: sssd-ad on centos 7

On Tue, Sep 12, 2017 at 06:06:19PM +0100, John Beranek wrote: > On 12 September 2017 at 18:03, John Beranek wrote: > > On 12 September 2017 at 17:59, John Beranek wrote: > >> On 11 September 2017 at 14:28, Jakub Hrozek wrote: > >>> On Mon, Sep 11, 2017 at 12:23:

[SSSD-users] Re: SSSD + database

> On 22 Sep 2017, at 15:06, Galen Johnson wrote: > > Hey, > > Pretty sure the answer is no but there are some packages that allow you to > set up your systems to use a database as the provider for nss and pam > (libnss_mysql, libpam_mysql)...does sssd support this

[SSSD-users] Re: Unable to get ldap_tls_reqcert to work

On Mon, Oct 02, 2017 at 11:39:05AM -0700, Jeff White wrote: > LDAP is working fine. I can query no problems with ldapsearch search, sssd > just won't accept the exact same certificate. Sorry, I should have read the logs before replying. Try adding: ldap_referrals = false to the domain

[SSSD-users] Re: Unable to get ldap_tls_reqcert to work

On Mon, Oct 02, 2017 at 07:14:53PM +, Jeff White wrote: > That seems to fix the issue. I'm not sure why, but it does. I guess the > LDAP server could refer to another server or domain by a name not included > in the cert? Even with logging turned way up I could not find any entry > that

[SSSD-users] Re: How often does ldap cache clear?

On Mon, Aug 21, 2017 at 10:24:50AM +1000, Lachlan Musicman wrote: > On 18 August 2017 at 17:33, Jakub Hrozek <jhro...@redhat.com> wrote: > > > On Thu, Aug 17, 2017 at 03:36:20PM +1000, Lachlan Musicman wrote: > > > We use FreeIPA/SSSD to authenticate our RStudio Server,

[SSSD-users] Re: SSSD user mailing list: Unable to login to my kerberos realm

On Mon, Aug 21, 2017 at 02:53:39PM -0400, Louis Garcia wrote: > On Mon, Aug 21, 2017 at 3:22 AM, Lukas Slebodnik > wrote: > > > On (19/08/17 14:45), Louis Garcia wrote: > > >On Sat, Aug 19, 2017 at 5:01 AM, Lukas Slebodnik > > >wrote: > > > > > >> On

[SSSD-users] Re: User Kerberos lifetime ticket.

On Mon, Sep 04, 2017 at 01:06:22PM -0400, Mark London wrote: > Sumit - Thanks for the info. Some of our users do work directly at the > workstation, so I'm glad to hear that they would get a fresh Kerberos > ticket, when they would have to login via the screen saver, on a daily > basis..

[SSSD-users] Re: HBAC rules randomly failing on ubuntu 16.04

Does access work from any RHEL/CentOS client? (I’m asking because as long as those are fully patched, all HBAC-related bugs should be fixed there) There was a bug that we fixed in commit 88f6d8ad4eef4b4fa032fd451ad732cf8201b0bf in the sssd-1-13 branch that should help. However, that commit

[SSSD-users] Re: Kerberos Ticket renewal within Samba AD Domain

On Wed, Oct 18, 2017 at 10:00:35AM +0200, Michael Löffler wrote: > Dear SSSD Users, > > I have a question regarding the renewal of Kerberos tickets within a Samba > AD. All servers and clients are running Ubuntu 16.04. We have a lot of > Windows clients too; therefore we're using Samba. First of

[SSSD-users] Re: sudo trying to use proxy for auth

On Tue, Oct 17, 2017 at 05:15:08PM -0400, Asif Iqbal wrote: > I setup sssd to login with 2 factor auth and it works fine and then I am > failing to sudo with ldap even though id_provider is ldap. > > Here is log from sssd_LDAP when running sudo -s > >http://dpaste.com/36PTMS0.txt > > Here

[SSSD-users] Re: Kerberos Ticket renewal within Samba AD Domain

On Thu, Oct 19, 2017 at 11:40:39AM +0200, Michael Löffler wrote: > Hi, > > > Yes, please check man sssd-krb5 and the option that include 'renew' in > > their name, e.g. "krb5_renewable_lifetime". > After reading the manpage, I thought that this only affects auths via krb5 - > however, our

[SSSD-users] Re: shortnames for 2 realms in Centos6

On Thu, Oct 19, 2017 at 08:41:42AM +0200, Hampus Lundqvist wrote: > Hello > > Im searching for a solution to use shortnames for users from both > FreeIPA(4.5) realm and a from a Trusted AD realm, I'm using Centos6.9 > which has sssd 1.13. > > I’m doing it for the centos7’s using domain

[SSSD-users] Re: shortnames for 2 realms in Centos6

On Thu, Oct 19, 2017 at 07:28:53AM +, Hampus Lundqvist wrote: > Hi. > Ok, thanks for the answer. > I just tested installing the sssd-1.15.3-1.1.el6.x86_64 from the repository > on copr. > It started and seems to work, until I do a service sssd stop. It hangs and > will not stop using the

[SSSD-users] Re: loss of id / i have no name!

On Wed, Oct 18, 2017 at 03:37:44PM +, Thomas Beaudry wrote: > Hi, > > > I have repeated issues with users losing their usernames (only being mapped > to their uid / in the terminal it says "i have no name!@host"). It doesn't > happen daily, but it is extremely frustrating because they are

[SSSD-users] Re: what are the causes of Port status of port 389 for server is 'not working'

On Mon, Oct 23, 2017 at 10:11:50AM +0200, Jeremy Monnet wrote: > Hi, > > > > On Sat, Oct 21, 2017 at 8:56 PM, Jakub Hrozek <jhro...@redhat.com> wrote: > > > On Fri, Oct 20, 2017 at 04:39:54PM +0200, Jeremy Monnet wrote: > > > Hi, > > > > >

[SSSD-users] Re: [Freeipa-interest] Announcing SSSD 1.16.0

On Mon, Oct 23, 2017 at 08:46:08PM +0200, Michael Ströder wrote: > HI! > > Has anything changed with building the man pages? > > I'm asking because I now get formatting markup in the output of man (see > below). No, not that I'm aware of. You render the man pages locally, right, because the

[SSSD-users] Re: [Freeipa-interest] Announcing SSSD 1.16.0

On Mon, Oct 23, 2017 at 09:19:21PM +0200, Michael Ströder wrote: > Jakub Hrozek wrote: > > On Mon, Oct 23, 2017 at 08:46:08PM +0200, Michael Ströder wrote: > >> Has anything changed with building the man pages? > >> > >> I'm asking because I now get formatt

[SSSD-users] Re: ad_access_filter question

On Fri, Nov 24, 2017 at 10:02:15AM +, Conwell, Nik wrote: > Interesting, thanks. I had tried the simple provider but this didn't > restrict access. Did you look into the logs why it didn't? Did you use a group that showed up in the group list of the "id" command? > Since the docs noted

[SSSD-users] Re: group naming help

On Mon, Nov 20, 2017 at 09:29:06AM -0700, Zane Zakraisek wrote: > Hi, I'm looking at migrating my Red Hat 7.4 machines off nslcd and onto > sssd. > > I've got a very simple sssd.conf here running SSSD 1.15.2. > > [sssd] > domains = my.domain > config_file_version = 2 > services = nss, pam > >

[SSSD-users] Re: ad_access_filter question

On Wed, Nov 22, 2017 at 07:56:57PM +, Conwell, Nik wrote: > Hi all, I'm jumping in to using sssd-ad here at BU. I'm able to domain join > a CentOS7 and pull our AD entries successfully but am having troubles with > ad_access_filter to restrict access to a group. > > Due to FERPA

[SSSD-users] Re: Ubuntu Xenial failures

On Mon, Dec 18, 2017 at 10:51:55PM +, Jay McCanta wrote: > We found out it has to do with GPO. With > ad_gpo_access_control = enforcing > > we get failures (system error 4 with no indication in the logs it was GPO in > any way). > > ad_gpo_access_control = permissive > > and all is well.

[SSSD-users] Re: Passwordless SUDO commands in AD

On Mon, Dec 18, 2017 at 11:11:25PM +, Max DiOrio wrote: > Hey guys? Any thoughts on this? It's impacting our production environment. > > Thanks! I think Pavel's reply must have missed you, I think we still need the logs he requested:

[SSSD-users] Re: Suggested workarounds for stale kdcinfo.REALM cache file?

On Fri, Nov 17, 2017 at 07:43:15PM +, Mark Ignacio wrote: > Hey folks, > > During an internal reliability test, we recently found out that > /var/lib/sss/pubconf/kdcinfo.${REALM} stays static even when the IP > cached there is unreachable or down. During the test, kinit failed > consistently

[SSSD-users] Re: AD auth with multiple domains

I'm sorry for the late reply, but we've all been busy finishing work on a RHEL update. On Mon, Oct 23, 2017 at 10:29:13AM +0200, Jeremy Monnet wrote: > Hi, > > I am trying to setup an authentication against Active Directory, with > multiple domains, and I haven't been able to find the

[SSSD-users] Re: id -G user only showing primary group

On Tue, Oct 31, 2017 at 10:57:23AM -0600, Jeff Sadowski wrote: > (Tue Oct 31 10:16:44 2017) [sssd[be[mind.unm.edu]]] [ad_sasl_log] > (0x0040): SASL: GSSAPI Error: Unspecified GSS failure. Minor code may > provide more information (Server not found in Kerberos database) > (Tue Oct 31 10:16:44

[SSSD-users] Re: what are the causes of Port status of port 389 for server is 'not working'

On Wed, Oct 25, 2017 at 03:43:14PM +0200, Jeremy Monnet wrote: > Hi, > > On Tue, Oct 24, 2017 at 10:03 PM, Jakub Hrozek <jhro...@redhat.com> wrote: > > > > > > > On these 2 servers, authentication works for testu...@sub1.example.com. > > I >

[SSSD-users] Re: Change LDAP-Filter for SSSD

On Thu, Nov 02, 2017 at 07:06:59PM +0100, Stefan Kania wrote: > Am 02.11.2017 um 17:00 schrieb Mario Rossi: > > If using own objectclass, I would think you will use custom attributes ? > > > > ldap_group_member = *hMemberDN* > > ldap_user_member_of = *description* > > This is what I did now.

[SSSD-users] Re: shortnames for 2 realms in Centos6

No, I’m afraid there will be only a number of patches for bug fixes, no RFEs and no rebase.. > On 11 Nov 2017, at 20:46, Grigory Trenin wrote: > > Hi Jakub, > > Is there a chance that SSSD is rebased to 1.15.3 in RHEL6/Centos6? > Maybe in 6.10? > I'm also missing this nice

[SSSD-users] Re: net groups with IPA

Pavel, does this sound like the bug you were looking at wrt sudo lately? On Wed, Nov 08, 2017 at 09:46:25PM +, Charles Hedrick wrote: > Netapp wants the domain field to be blank. That leaves us a problem that’s > hard to solve. > > On Nov 8, 2017, at 4:41 PM, Charles Hedrick >

[SSSD-users] Re: Info message customization

On Mon, Dec 11, 2017 at 08:45:25AM -, Иван Мастренко wrote: > Hello! > Can i customize format of Info message about password expiration? > > Now, I get this message: > > login as: myldapuser > myldapuser@myterminalhost's password: > Your password will expire in 5 day(s). > Last login: Mon

[SSSD-users] Re: Multiple skel dir (one oer domain)

skel_dir is only valid for domain types with id_provider=local For any other provider except local, sssd doesn’t create the homedir, it just returns the homedir value. So any tuning of the skeldir would have to be done on the side that creates the home directory (pam_mkhomedir or such..) > On

[SSSD-users] Re: what are the causes of Port status of port 389 for server is 'not working'

On Mon, Oct 23, 2017 at 06:47:53PM +0200, Jeremy Monnet wrote: > On Mon, Oct 23, 2017 at 4:55 PM, Jeremy Monnet wrote: > > > > >> This sounds wrong: > >> [sdap_kinit_send] (0x0400): Attempting kinit (default, > >> host/.., ., 86400) > >> with AD, you normally want to use

[SSSD-users] Re: [SSSD] Re: [Freeipa-interest] Announcing SSSD 1.16.0

On Mon, Oct 23, 2017 at 09:33:11PM +0200, Michael Ströder wrote: > Jakub Hrozek wrote: > > On Mon, Oct 23, 2017 at 09:19:21PM +0200, Michael Ströder wrote: > >> Jakub Hrozek wrote: > >>> On Mon, Oct 23, 2017 at 08:46:08PM +0200, Michael Ströder wrote: > >&g

[SSSD-users] Re: loss of id / i have no name!

On Mon, Oct 23, 2017 at 02:20:13PM +, Thomas Beaudry wrote: > Hi, > > The user is: j_huc uid: 891461586 (I'm sorry about the delay) Yes, that ID appears to have some issues: (Fri Oct 20 14:04:27 2017) [sssd[be[domain.ca]]] [be_get_account_info] (0x0200): Got request for

[SSSD-users] Re: what are the causes of Port status of port 389 for server is 'not working'

On Fri, Oct 20, 2017 at 04:39:54PM +0200, Jeremy Monnet wrote: > Hi, > > I have that error message that I do not understand, because I have 2 ubuntu > servers setup the same way (but 1 ubuntu 14.04 and 1 ubuntu 16.04). Ubuntu > 14 is working fine, I can authenticate and sudo just fine, Ubuntu 16

[SSSD-users] Re: Kerberos Ticket renewal within Samba AD Domain

On Thu, Oct 19, 2017 at 01:01:18PM +0200, Michael Löffler wrote: > Thanks for your answers! > > > > > Yes, please check man sssd-krb5 and the option that include 'renew' in > > > > their name, e.g. "krb5_renewable_lifetime". > > > After reading the manpage, I thought that this only affects auths

[SSSD-users] Re: loss of id / i have no name!

On Fri, Oct 20, 2017 at 07:35:02PM +, Thomas Beaudry wrote: > Hi, > > Here is the sssd domain log: > https://drive.google.com/open?id=0B5ihYtqDQffzaUpERnkyNHlZamM > > The crash occured between today (Friday Oct 20 2;14-2:17pm) I'm sorry, but I don't see anything outright wrong. There are

[SSSD-users] Re: Passwordless SUDO commands in AD

On Tue, Dec 19, 2017 at 05:27:02PM -0500, Max DiOrio wrote: > Hey Jakub, > > I sent a response almost immediately - which is why I followed up when I > hadn't heard back. You guys normally respond quickly. Ahh, sorry about that, it's my fault. The mail got stuck in the moderation queue and I

[SSSD-users] Re: How to do cross-subdomain user authentication by short name (among trusted AD subdomains) since sssd-ad 1.15.3?

> On 13 May 2018, at 22:44, Spike White wrote: > > > > > Sssd aficionados, > > It is with great interest that I read the announcement of SSSD version 1.15.3. > >

[SSSD-users] Re: Cache flushing after password change

> On 9 May 2018, at 11:30, JOHE (John Hearns) wrote: > > I know I could look this one up in the docs somewhere... > If I have a Linux workstation which is using AD for the authentication > provider. > If I change my password using a Windows machine, what then happens when

[SSSD-users] Re: System is busy - mouse and keyboard not useable

> On 9 May 2018, at 11:27, JOHE (John Hearns) wrote: > > I have set up sssd authentication on a Ubuntu Xenial workstation, with the > Lightdm windowing manager. > > When the sssd service starts the sssd_be process is taking 100% CPU. I am not > that concerned with this. >

[SSSD-users] Re: Segfault in COPR sssd 1.16.1-2 after upgrade to CentOS 7.5 from 7.4

On Fri, May 11, 2018 at 06:32:46PM +1000, Lachlan Musicman wrote: > I'll wait :) I've only deployed to dev servers, so being broken is not a > problem/urgent rush. Can you file a bug upstream so that we remember to rebuild the repo? ___ sssd-users

[SSSD-users] Re: How to do cross-subdomain user authentication by short name (among trusted AD subdomains) since sssd-ad 1.15.3?

Mon May 14 11:38:01:294090 2018) [sssd] [confdb_get_domains] (0x0010): Error > (2 [No such file or directory]) retrieving domain [apac.company.com], > skipping! > > But if I use: > > [domain/amer.company.com] > ... > > [domain/apac.company.com] > ... > > All works

[SSSD-users] Re: managing RHEL5 sssd clients without functional ldap_id_mapping?

> On 18 May 2018, at 18:46, James Ralston wrote: > > We have a small development Active Directory domain where we have > several RHEL7 hosts. > > We never extended our AD schema with the RFC2307 attributes > (uidNumber, gidNumber, et. al.). Instead, we just configured sssd

[SSSD-users] Re: Files provider - does not start properly ?

Yes, just please make sure they don’t contain some confidential data (host names etc..) > On 12 Jun 2018, at 10:09, JOHE (John Hearns) wrote: > > Hi Jakub. I have the logs available. What is the best way to upload? > I guess just attach them here as a reply! > From: Jakub Hro

[SSSD-users] Re: id username works on ubuntu xenial, but fails on ubuntu trusty

On Wed, Jun 06, 2018 at 03:43:18PM -0400, Asif Iqbal wrote: > I can `*id axisys*` and it *works* fine with ubuntu xenial running *sssd > version 1.13.4* but *failing* on ubuntu trusty running *sssd version 1.11.8* > > I have the same *sssd.conf* and *nsswitch.conf* on both servers and I also >

[SSSD-users] Re: Refreshing tickets with msktutil

On Fri, Jun 08, 2018 at 12:33:05PM +, JOHE (John Hearns) wrote: > sssd version 1.15.0 running on Ubuntu Xenial. > In my setup sssd is not automatically refreshing computer account tickets > after 30 days, for some reason. Does the machine that is not refreshing the tickets have adcli

[SSSD-users] Announcing SSSD 1.16.2

old object instead of merging it * tlog: only log in tcurl_write_data when SSS_KCM_LOG_PRIVATE_DATA is set to YES

[SSSD-users] Re: id username works on ubuntu xenial, but fails on ubuntu trusty

On Fri, Jun 08, 2018 at 01:10:36PM -0400, Asif Iqbal wrote: > On Fri, Jun 8, 2018 at 9:25 AM, Jakub Hrozek wrote: > > > On Wed, Jun 06, 2018 at 03:43:18PM -0400, Asif Iqbal wrote: > > > I can `*id axisys*` and it *works* fine with ubuntu xenial running *sssd > > >

<    3   4   5   6   7   8   9   10   >