[SSSD-users] Re: Announcing SSSD 1.16.2

On Tue, Jun 12, 2018 at 07:46:55PM +0200, Sumit Bose wrote: > > > Hi, > > > > > > please try to add the following patch and then to build SSSD again: > > > > > > diff --git a/Makefile.am b/Makefile.am > > > index 9539b3c..8e76a03 100644 > > > --- a/Makefile.am > > > +++ b/Makefile.am > > > @@

[SSSD-users] Re: Files provider - does not start properly ?

I’m sorry, but I don’t see any attachment.. > On 12 Jun 2018, at 11:15, JOHE (John Hearns) wrote: > > Thankyou. Logs are attached. > > > From: Jakub Hrozek > Sent: 12 June 2018 10:28:39 > To: End-user discussions about the System Security Services Daemon > Subj

[SSSD-users] Re: Files provider - does not start properly ?

> On 11 Jun 2018, at 16:01, JOHE (John Hearns) wrote: > > I am trying out the files providerwith sssd version 16.1 on Ubuntu Xenial. > > In the configuration file I set enable_files_domain = True > > sssd_implicit_files.log then says : > [sssd[be[implicit_files]]] [id_callback]

[SSSD-users] Re: sssd failing to lookup user/group names by ID

> On 1 Jun 2018, at 22:10, David Potterveld wrote: > > I'm not sure that we do need it… Then removing the local domain is also a valid workaround for this issue. > I think it was put in the config as a placeholder for old accounts on legacy > systems when deciding on how UID ranges should

[SSSD-users] Re: Nested LDAP groups and filtering

> On 2 Jun 2018, at 10:24, Christian Svensson wrote: > > Hi Jakub, > > On Fri, Jun 1, 2018 at 6:52 PM, Jakub Hrozek wrote: > First, I’m sorry that I missed the e-mail in the moderation queue. We get a > fair amount of spam and things sometimes slip through. >

[SSSD-users] Re: Strange behaviour with groups

On Fri, Jun 01, 2018 at 11:31:55AM +, JOHE (John Hearns) wrote: > I am seeing some very strange behaviour. > > Very often when I issue the command 'groups username' then only the local > groups in /etc/group are returned. > > Issue the command again then the list with the local groups

[SSSD-users] Re: Strange behaviour with groups

so I would look into calls matching “initgr” in the logs. By the way, you mentioned the user is a member of local groups. Is the user also present in passwd or only in LDAP? > > > > On 1 June 2018 at 14:37, Jakub Hrozek wrote: > On Fri, Jun 01, 2018 at 11:31:55AM +, JOHE (Joh

[SSSD-users] Re: sssd failing to lookup user/group names by ID

This is a bug that was fixed recently upstrea, but not in RHEL/centos yet. Do you actually use the local domain? > On 1 Jun 2018, at 18:47, David Potterveld wrote: > > I'm having an issue with sssd failing to look up user or group names from an > AD provider. The error occurs on both modern

[SSSD-users] Re: Nested LDAP groups and filtering

First, I’m sorry that I missed the e-mail in the moderation queue. We get a fair amount of spam and things sometimes slip through. > On 20 May 2018, at 14:23, Christian Svensson wrote: > > Hi sssd-users, > > My LDAP setup contains two bases: > dc=office1,dc=company,dc=tld >

[SSSD-users] CVE-2018-10852: information leak from the sssd-sudo responder

=== A security bug in SSSD 1.8 and later = Subject: information leak from the sssd-sudo responder CVE ID: CVE-2018-10852 Summary: The UNIX socket that is used for communication between the sudo utility and the sssd-sudo responder had its permissions set to

[SSSD-users] Re: credentials cache cleared at sssd restart pam_sss + krb5

On Tue, May 01, 2018 at 01:53:48PM +0200, cedric hottier wrote: > Dear sssd users, > > I observe that at each sssd start, the credentials cache is cleared. Is it > an expected behavior ? > If yes, is there a parameter to make this caching permanent (or at least > not erased at each sssd restart

[SSSD-users] Re: sssd-users@lists.fedorahosted.org post from ced...@hottier.com requires approval

> On 1 May 2018, at 23:30, ad...@fedoraproject.org wrote: > > As list administrator, your authorization is requested for the > following mailing list posting: > >List:sssd-users@lists.fedorahosted.org >From:ced...@hottier.com >Subject: Re: [SSSD-users] Re: credentials cache

[SSSD-users] Re: Server not found in Kerberos database and debug level 11

> On 2 May 2018, at 17:54, JOHE (John Hearns) wrote: > > I would appreciate some pointers. > I have a sandbox setup running on VMs. There is an AD controller using the > VM image which Microsoft has available for testing. > I have created a domain called ad.test > > On

[SSSD-users] Re: System Error (4) for passwd users

On Wed, Jan 24, 2018 at 06:06:38PM +0100, Franky Van Liedekerke wrote: > Op Woensdag, 24-01-2018 om 17:44 schreef Jakub Hrozek: > > On Wed, Jan 24, 2018 at 05:25:26PM +0100, Franky Van Liedekerke wrote: > > > Op Woensdag, 24-01-2018 om 16:45 schreef Jakub Hrozek: > > > &

[SSSD-users] Re: max_id no longer working

On Wed, Jan 24, 2018 at 03:06:58PM +0100, Franky Van Liedekerke wrote: > ​Hi, > > > >   > > > > we saw a lot of queries for uidnumber=4294967295  in our ldap backend > logs (from sssd), so we did as suggested by > > > > https://access.redhat.com/solutions/2963401 > > > >   > > > >

[SSSD-users] Re: System Error (4) for passwd users

> [dp_req_done] (0x0400): DP Request [Subdomains #2]: Request handler finished > [0]: Success(Wed Jan 24 08:53:44 2018) > [sssd[be[place.edu]]] [_dp_req_recv] (0x0400): DP Request [Subdomains #2]: > Receiving request data.(Wed Jan 24 08:53:44 2018) [sssd[be[place.edu]]] > [dp_re

[SSSD-users] Re: System Error (4) for passwd users

On Wed, Jan 24, 2018 at 05:25:26PM +0100, Franky Van Liedekerke wrote: > Op Woensdag, 24-01-2018 om 16:45 schreef Jakub Hrozek: > > On Wed, Jan 24, 2018 at 10:10:11AM -0500, Geoff Goehle wrote: > > > Sorry about the line breaks. Adding "enable_files_domain = false"

[SSSD-users] Re: [Freeipa-users] Getting DP Request [Account #4]: Returning [Internal Error]: 3,5,Group lookup failed

See inline.. On Wed, Jan 31, 2018 at 03:23:57AM -0500, TomK wrote: > On 1/31/2018 3:18 AM, TomK via FreeIPA-users wrote: > My bad, did not include sssd-users earlier. :( > > > Hey All, > > > > I'm wondering if anyone came across this error below.  We have two RHEL > > 7.4 servers with SSSD

[SSSD-users] Re: SSSD/AD Issues After 1.14 to 1.15 upgrade in CentOS 7

The preffered place is https://pagure.io/SSSD/sssd/new_issue On Fri, Feb 02, 2018 at 05:59:18PM +, Simon Engelbert wrote: > Sure, where is the proper place to file tickets? > > - Simon > On 2018-02-02, 10:20 AM, "Jakub Hrozek" <jhro...@redhat.com> wrote: &

[SSSD-users] Re: SSSD/AD Issues After 1.14 to 1.15 upgrade in CentOS 7

unt_cache_expiration = 15 > enum_cache_timeout = 120 > entry_cache_nowait_percentage = 50 > entry_cache_nowait_timeout = 28800 > #wmb add if you want to restrict access to a certain group > ldap_group_search_base = DC=DOMAIN,DC=AD > ldap_sasl_authid = host/ser...@domain.ad > #w

[SSSD-users] Re: FreeIPA/SSSD sssd_nss error: The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Fatal]

On Wed, Jan 31, 2018 at 12:32:28PM -0600, Anthony Joseph Messina wrote: > In a Fedora 27 FreeIPA-4.6 domain with the following sssd.conf, I regularly > get the followin error: > > sssd_nss[2603]: The Data Provider returned an error > [org.freedesktop.sssd.Error.DataProvider.Fatal] > >

[SSSD-users] Re: FreeIPA/SSSD sssd_nss error: The Data Provider returned an error [org.freedesktop.sssd.Error.DataProvider.Fatal]

On Wed, Jan 31, 2018 at 01:56:56PM -0600, Anthony Joseph Messina wrote: > On Wednesday, January 31, 2018 1:45:27 PM CST Jakub Hrozek wrote: > > On Wed, Jan 31, 2018 at 12:32:28PM -0600, Anthony Joseph Messina wrote: > > > In a Fedora 27 FreeIPA-4.6 domain with the foll

[SSSD-users] Re: System error with free-ipa on login

The selinux_child failed: (Thu Feb 15 11:18:05 2018) [[sssd[selinux_child[20961 [seuser_needs_update] (0x2000): getseuserbyname: ret: 0 seuser: unconfined_u mls: unknown (Thu Feb 15 11:18:05 2018)

[SSSD-users] Re: ETA release ?

On Mon, Feb 19, 2018 at 09:09:09AM +, Joakim Tjernlund wrote: > Seem to recall a new release of sssd was planned some time ago but I > don't see one. Change of plans? To what? No change of plans, we've 'just' been finding more and more regressions. Currently there is only one open -

[SSSD-users] Re: sudo for Active Directory group

If you follow https://docs.pagure.org/SSSD.sssd/users/sudo_troubleshooting.html and generate the sssd logs, does that shed some more light? > On 22 Dec 2017, at 14:48, Viktor Ekl wrote: > > Hello. > > Sssd 1.15.2-50 on Centos 7. I'm trying to grant sudo access to

[SSSD-users] Re: sudo for Active Directory group

Ah, since you’re using local sudo rules and not stored in AD, I think only the sudo log would be most interesting. Plus, is the user either a member of wheel or linux_admin? (iow, do either of these group show up if you run ‘id’ as the user?) > On 22 Dec 2017, at 15:09, Jakub Hrozek &l

[SSSD-users] Re: SSD / chown on initial automated installation

On Fri, Dec 22, 2017 at 06:45:04PM +0100, Vadim Bulst wrote: > Hi sssd-users, > > i'm using SSSD for the auth on our compute clusters - about 130 nodes in > total. The installation is done by Foreman and Puppet. Most of our clusters > are on CentOS 7.3 and we are planning to upgrade to 7.4 by

[SSSD-users] Re: id: cannot find name for group ID

> On 24 Jul 2018, at 22:33, Mario Rossi wrote: > > Should I sanitize the logs and send them over ? > Thank you yes ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to

[SSSD-users] Re: AD user account get Permission denied when trying to login

> On 24 Jul 2018, at 05:39, Farshid Mahdavipour wrote: > > (Mon Jul 23 21:59:35 2018) [[sssd[krb5_child[35846 [get_and_save_tgt] > (0x0020): 1544: [-1765328366][Client's credentials have been revoked] > (Mon Jul 23 21:59:35 2018) [[sssd[krb5_child[35846 [map_krb5_error] > (0x0020):

[SSSD-users] Re: SSSD attempts Dyndns updates for loopback address [SEC=UNOFFICIAL]

This sounds like a bug. We should never update DNS with loopback addresses and I’m sure we at least had checks in place to prevent this. Can you file a ticket, please? > On 3 Aug 2018, at 08:06, Kosseck, Adam MR wrote: > > UNOFFICIAL > > A number of DHCP linux workstation hosts in our

[SSSD-users] Re: login attributes not being updated

SSSD does not update any attributes on its own. Are you sure the users are not logging in with e.g. ssh public key which would bypass AD DCs during authentication completely? > On 3 Aug 2018, at 17:15, Galen Johnson wrote: > > Hey, > > I'm wondering if SSSD might not be updating some of the

[SSSD-users] Re: sssd connecting to two AD domains

Are mydomain and mydomain2 coming from a different forest? with id_provider=ad sssd should work fine with domains from the same forest and it should pick the right principal. If it doesn’t and setting ldap_sasl_authid to shortname$@realm, then there must be a bug in the principal selection

[SSSD-users] Re: SSSD setup for authentication against AD using LDAP provider

ows it to do. > If so, does it mean that user to be > authenticated has to have enough permissions to do searches in AD via > LDAP? > > Thank you, > Andre > On Thu, Aug 9, 2018 at 1:19 PM Jakub Hrozek wrote: >> >> On Thu, Aug 09, 2018 at 10:06:52AM -0700, Andre Pi

[SSSD-users] Announcing SSSD 1.16.3

e fail to save one profile * sdap: respect passwordGracelimit * deskprofile: fix a typo in _get_filename_path() * tests: add tests for ipa_deskprofile_get_filename_path() * util: introduce sss_ssh_print_pubkey() * ssh: make use of sss_ssh_print_pubkey() * sss

[SSSD-users] Announcing SSSD 2.0

test_sysdb_domain_resolution_order_ * tests: remove LOCAL_SYSDB_FILE reference from test_sysdb_subdomains * tests: remove LOCAL_SYSDB_FILE reference from common_dom * local: build local provider conditionally * pysss: fix typo in comment * pysss: remove pysss.local *

[SSSD-users] Re: SSSD setup for authentication against AD using LDAP provider

On Thu, Aug 09, 2018 at 10:06:52AM -0700, Andre Piwoni wrote: > There does not seem to be much documentation how to make > authentication work without any extras. All I need is a simple > non-anonymous bind using provided credentials without any searches. My > understanding is that I don't need

[SSSD-users] Re: HowTo Handle an AD User rename?

I think this was fixed in a later version. With these old versions, just removing the cache should help. > On 15 Aug 2018, at 17:12, Pete Klukowski wrote: > > Hello, > > We have SSSD running on CentOS 7.3 communicating with Active Directory > (Server 2008 R2). > > An AD account (e.g.,

[SSSD-users] Re: SSSD setup for authentication against AD using LDAP provider

On Wed, Aug 22, 2018 at 09:42:55AM -0700, Andre Piwoni wrote: > AD allows simple authentication via simple non-anonymous bind with > user credentials > (https://msdn.microsoft.com/en-us/library/cc223499.aspx) and this is > enough to get at least user account information, which includes basic >

[SSSD-users] Re: "groups: cannot find name for group ID #####"

On Mon, Jul 23, 2018 at 11:08:54AM -0400, sssdusers.20.retin...@spamgourmet.com wrote: > Unfortunately it seems to not be so easy: > rtadmin@ubt18-test:~$ cat /etc/nsswitch.conf > ... > #passwd: compat systemd sss > #group: compat systemd sss > passwd: files sss > group:

[SSSD-users] Re: Missing group memberships with sssd (when using tokengroups)

se_tokengroups = false at domain level, however still > seeing the issue. I use ldap provider. Then tokengroups are not relevant at all, it's an AD provider option primarily. I would suggest to gather the logs (and even better, start a separate thread so the two don't mixed up..) > > Thank yo

[SSSD-users] Re: problem login in with AD account after joined to the AD domain

m_print_data] (0x0100): > newauthtok type: 0 > > (Mon Jul 23 14:25:37 2018) [sssd[pam]] [pam_print_data] (0x0100): priv: 1 > > (Mon Jul 23 14:25:37 2018) [sssd[pam]] [pam_print_data] (0x0100): cli_pid: > 70882 > > (Mon Jul 23 14:25:37 2018) [sssd[pam]] [pam_pri

[SSSD-users] Re: Missing group memberships with sssd (when using tokengroups)

0(amerunixusers),1156(gbl_server_support),2284161(amerserveradministrator),2283573(dfs_gil_sit_auth),1033(amer_server_mgmt),1003(amerlinuxsup) > > this is sssd version 1.16.0 > > Spike > > > Thanks, this is more helpful > > On Thu, Jul 19, 2018 at 4:15 AM Ja

[SSSD-users] Re: 1.16.2 test failure: sss_nss_idmap-tests

Unfortunately these tests don’t have an option to raise the debug level so stepping throught them with gdb is the only option I’m afraid.. > On 20 Jul 2018, at 20:56, Andreas Hasenack wrote: > > What I figured out so far is that this is a test that is enabled if > you have cmocka installed,

[SSSD-users] Re: Am I blocked on sssd-users mailing list?

> On 19 Jul 2018, at 15:37, Spike White wrote: > > All, > > I fear I may be blocked. I responded to an email thread, with an email that > had two small attachments. > > That was wrong. I read the mailing list by-laws and I realize that was > wrong. I will not repeat that offense. As

[SSSD-users] Re: problem login in with AD account after joined to the AD domain

> On 22 Jul 2018, at 22:47, Farshid Mahdavipour wrote: > > Hi, > > I have configured sssd.service to authenticate to AD on RHEL 7.5 and i have > successfully joined the rhel machine to AD. > but i cannot login to the machine with the AD account. > > here is the error when i try to login

[SSSD-users] Re: SSSD on CentOS 7 failing to start when connecting to Samba 4.8.3 AD via LDAP

> On 23 Jul 2018, at 04:05, Mark Johnson wrote: > > I've been going around in circles with this for days and I'm stuck. I'm > trying to run up a new AD environment with only Samba 4.8.3 servers that > we'll authenticate user server access against via SSSD/LDAP using a simple > bind. All

[SSSD-users] Re: problems with sssd-1.9

> On 18 Jul 2018, at 21:13, Laack, Andrea P wrote: > > I have been tasked with joining a number of redhat/centos 5 servers to a > domain. I found sssd-1.9 that would allow id_provider ad. This is Centos > 5.11. Well, the upstream 1.9 had the ad_provider bits, but they are not built by

[SSSD-users] Re: Missing group memberships with sssd (when using tokengroups)

eant something else. Internally in SSSD, ldap_schema=ad is a superset of rfc2307bis with some defaults tuned to be AD-specific. And the AD provider really does not expect the schema to be set to anything else, moreover there are some branches in the underlying LDAP provider (the AD provider is a wrapper a

[SSSD-users] Re: sss_override and ssh keys

> On 11 Jul 2018, at 15:28, John Hearns wrote: > > I have set up an sss_override for my user account > > johe:*:1234:1234:John Hearns,,,:/home/johe:/bin/bash > > I also have an entry in the locla /etc/passwd file. > When I ssh to a server running sssd my ssh key is accepted. > > When I have

[SSSD-users] Re: one user can't be looked up

> On 13 Jul 2018, at 00:16, Peter Moody wrote: > > On Wed, Jul 11, 2018 at 12:39 AM Jakub Hrozek wrote: >> >> On Tue, Jul 10, 2018 at 08:14:15PM -0700, Peter Moody wrote: >>> line breaks are in the original logs: >> >> Right, I saw this, but can I

[SSSD-users] Re: Problem with kinit

> On 16 Jul 2018, at 11:48, John Hearns wrote: > > I have had my head inside the ldap_child.c source code all morning. > I am getting these errors logged: > > [ldap_child_get_tgt_sync] (0x0100): Using keytab [MEMORY:/etc/krb5.keytab] > [ldap_child_get_tgt_sync] (0x0010): Failed to init

[SSSD-users] Re: Signature for recent downloads

Done, the key is now on pgp.mit.edu The full story is that my usual computer died temporarily just as I was about to release the tarballs and my backup didn’t include ~/.gnupg. Oops. So the release was done from another machine where I also created the new keys. > On 8 Sep 2018, at 15:31, Jan

[SSSD-users] Re: sssd id getent and secondary groups in active directory

On Mon, Jul 09, 2018 at 01:45:57PM +0200, John Hearns wrote: > One stupid question - is there an easy(ish) way to tell how deep a group > heirarachy exists on a particular site? I don't think so, without trying. However, looking at the code now, the default nesting limit is only two levels deep

[SSSD-users] Re: Missing group memberships with sssd (when using tokengroups)

On Mon, Jul 09, 2018 at 03:11:38PM -0500, Spike White wrote: > All, > > Below is a writeup of missing AD groups for accounts when using > tokengroups. When not using tokengroups, sssd is rock solid. > > Yes, most of the missing AD groups are universal or global groups -- but > not all! For

[SSSD-users] Re: one user can't be looked up

On Fri, Jul 06, 2018 at 09:02:25AM -0700, Peter Moody wrote: > On Tue, Jul 3, 2018 at 11:45 PM Sumit Bose wrote: > > > > On Thu, Jun 28, 2018 at 07:46:29PM -0700, Peter Moody wrote: > > > are there any logs I can provide to help anyone figure out why this is > > > happening? I've (re-)confirmed

[SSSD-users] Re: sssd id getent and secondary groups in active directory

On Fri, Jul 06, 2018 at 01:41:38PM +, Ratliff, John wrote: > > > On Fri, 2018-07-06 at 10:55 +0200, Sumit Bose wrote: > > On Thu, Jul 05, 2018 at 08:09:55PM +, Ratliff, John wrote: > > > > > > > (Thu Jul 5 16:04:42 2018) [sssd[be[ads.iu.edu]]] [sdap_print_server] > > (0x2000):

[SSSD-users] Re: User accounts from AD domain, sudo rules from LDAP domain

> On 19 Jan 2018, at 15:03, Johannes-Ulrich Menzebach > wrote: > > We're currently evaluating moving our CentOS6 Linux workstations and servers > from OpenLDAP to AD, but would like to avoid the AD schema customization > needed to put sudo rules and autofs

[SSSD-users] Re: System Error (4) for passwd users

On Tue, Jan 23, 2018 at 07:44:04PM -0500, goe...@gmail.com wrote: > Hi, > > The troubleshooting guide in the docs said to email the list if the System > Error (4) shows up, so I figured I bring this issue up. I'm running sssd > version 1.16.0 on Debian testing and recently encountered a new

[SSSD-users] Re: System Error (4) for passwd users

On Wed, Jan 24, 2018 at 10:10:11AM -0500, Geoff Goehle wrote: > Sorry about the line breaks. Adding "enable_files_domain = false" to the > [sssd] section fixed the issue. Just out of curiosity, could I ask what that > does? Its not in the man page. SSSD has a feature which mirrors the

[SSSD-users] Re: Apache/php integration

The new API is a C one, currently it’s used by slapi-nis only, I think. I wonder if using the already existing D-Bus API would be an option? I don’t know how good or bad are PHP D-Bus bindigs, but looking up the e-mail address works for sure, check out e.g.:

[SSSD-users] Re: Announcing SSSD 1.16.1

> On 9 Mar 2018, at 14:45, Joakim Tjernlund <joakim.tjernl...@infinera.com> > wrote: > > On Fri, 2018-03-09 at 13:28 +0100, Jakub Hrozek wrote: >> CAUTION: This email originated from outside of the organization. Do not >> click links or open attachments u

[SSSD-users] Re: Experiencing a bug on users' name and ID

I think the next good step would be to show the LDIF and logs of a resolution of a single faulty entry, e.g. 80974 which you used earlier as an example of an entry that doesn’t work. > On 28 Feb 2018, at 01:30, Asif Iqbal wrote: > > > > On Tue, Feb 27, 2018 at 1:12 PM,

[SSSD-users] Re: Multiple logins by the same user at the same host at nearly the exact time

> On 13 Mar 2018, at 04:44, Jim Richard wrote: > > result in: > > pam_sss(sshd:account): Access denied for user rundeck: 4 (System error) > > I know this has been an issue in the past per some info I see in places like: > https://access.redhat.com/solutions/1477473 > >

[SSSD-users] Re: Multiple logins by the same user at the same host at nearly the exact time

and with this > updated sssd version we started seeing failures. > > > > > > > > > Jim Richard > SYSTEM ADMINISTRATOR III > (646) 338-8905 > > > >> On Mar 13, 2018, at 6:41 AM, Jakub Hrozek <jhro...@redha

[SSSD-users] Announcing SSSD 1.16.1

* DESKPROFILE: Use seteuid()/setegid() to delete the profile/user's dir * DESKPROFILE: Set the profile permissions to read-only * PYSSS_MURMUR: Fix [-Wsign-compare] found by gcc * DESKPROFILE: Document it doesn't work when run as unprivileged user * Hristo Venev (1):

[SSSD-users] Re: sssd 1.16.1 wont start, Centos 7.4

> On 3 Apr 2018, at 02:24, Lachlan Musicman wrote: > > On 3 April 2018 at 08:23, Lachlan Musicman wrote: > On 29 March 2018 at 20:23, Valentin Fischer wrote: > Permission issue. > > Reinstall sssd-common > > > > I tried this

[SSSD-users] Re: Config for joining AD forest and Kerberos cross-domain authentication

> On 6 Apr 2018, at 17:54, Bastian Rosner wrote: > > Unfortunately, users from other domains can't use their Kerberos ticket, only > password works. These users are specifying their domain on login. This all sounds like the issue is not on the SSSD level, but either the

[SSSD-users] Re: sssd-1.16.1 loses POSIX group mapped from AD trusted domain

> On 11 Apr 2018, at 17:26, a.miroshniche...@rtk-dc.ru wrote: > > Hi, > > We have AD-trusted FreeIPA environment. > I installed sssd-1.16.1 on IPA servers and client hosts. > Posix user group "ad_app_admins" mapped to app-admins@ADTrustedDomain. > Sometimes AD user fails to login on hosts.

[SSSD-users] Re: AD sudo rules have no values for attributes?

> On 5 Apr 2018, at 19:56, Max DiOrio wrote: > > I’m guessing someone was thinking that the group lookup was case sensitive > and entered it both ways to rule that out. I wonder if you know how did they manage to put the duplicate entries into AD? I tried with ADSI edit

[SSSD-users] Re: Automatic parameter update in /etc/sssd/sssd.conf

> On 15 Apr 2018, at 18:19, TomK wrote: > > Hey All, > > Is there a way to add or modify parameters in sssd.conf without having to > grep, sed or awk things to get the same thing done? > > I know Ansible / Salt are one way but wondering if there are any IPA / SSSD >

[SSSD-users] Re: sudo rules do not get ALL run-as-user

On Fri, Apr 20, 2018 at 01:20:50PM +0200, Dominik George wrote: > [ Not subscribed, please Cc in replies. ] > > Hi, > > we are usign sssd 1.15.0 on Debian stretch, for everything including sudo. > > The following LDAP entry… > > dn: cn=%supraadmin,ou=SUDOers,dc=teckids,dc=org > objectClass:

[SSSD-users] Re: sudo rules do not get ALL run-as-user

> On 20 Apr 2018, at 14:53, Dominik George wrote: > > Hi, > >>>(root) ALL >>> >>> …even if I add sudoRunAsUser: ALL explicitly. >>> >>> I already tried wiping the sss cache, with no success. >> >> I'm sorry, but what should the desired output be here? > >

[SSSD-users] Re: Ubuntu 16.04.4 LTS 4.4.0-108+ and sssd freezes virtual server

> On 16 Mar 2018, at 23:48, David Hunter wrote: > > (Fri Mar 16 13:06:03 2018) [sssd] [service_send_ping] (0x2000): Pinging > ad.domain.com > > (Fri Mar 16 13:06:03 2018) [sssd] [sbus_add_timeout] (0x2000): 0x88a9d0 > (Fri Mar 16 13:06:03 2018) [sssd]

[SSSD-users] Re: SSSD strangeness

The first step in debugging any strangeness is usually https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html > On 14 Mar 2018, at 16:18, simon...@hotmail.com wrote: > > Hi All > > We've got SSSD 1.13.0 installed as part of a Centos 7.2.1511 installation. > But this is quite an old

[SSSD-users] Re: sssctl & InfoPipe

> On 10 Oct 2018, at 14:04, Ondrej Valousek wrote: > > Hi list. > > When I run > # sssctl user-checks > The command will, under the “SSSD InfoPipe user lookup result” section: > - Print some information no matter if I enable InfoPipe in the > configuration or not > -

[SSSD-users] Re: Is it possible for SSSD to handle NTLMSSP authentication somehow?

> On 11 Oct 2018, at 02:08, Reinaldo Souza Gomes > wrote: > > I know that this is an old topic, but I've seen contradictory answers in > different places. > > Some topics say that SSSD has no support for NTLM due to its inherently > unsecure nature, and will never have. Currently SSSD

[SSSD-users] Re: local id_provider krb5 auth_provider

> On 10 Oct 2018, at 21:11, Ken Teh wrote: > > I tried setting up a domain that uses files for the account id but to use our > active directory for authentication in sssd.conf. But when I fire up the sssd > daemon, it reports that it is using files for the auth_provider. Is this > setup

[SSSD-users] Re: Ubuntu Bionic - sssd 1.16.1 - kerberos ticket not renewing

On Wed, Oct 31, 2018 at 08:20:55PM +, Jay McCanta wrote: > Yes. Kinit -R renews the ticket (if it hasn't expired). OK, can you attach a snippet of the logs? I thiknk the domain log and the krb5_child.log are the most important. ___ sssd-users

[SSSD-users] Re: Default user quotas with SSSD

On Fri, Oct 19, 2018 at 12:26:28AM -0400, TomK wrote: > Does SSSD allow setting quotas for existing or newly authenticated users? No. We've talked with the systemd developers about the possibility of sssd fetching cgroups limits from LDAP and passing them on to pam_systemd.so to set limits on

[SSSD-users] Re: Ubuntu Bionic - sssd 1.16.1 - kerberos ticket not renewing

On Wed, Oct 31, 2018 at 07:19:44PM +, Jay McCanta wrote: > I have a new server running Ubuntu Bionic (18.04.01) with sssd > 1.16.1-1ubuntu1. The problem is that our Kerberos tickets are not being > renewed while we are logged in. I have tried using FILE and KEYRING > credential caches.

[SSSD-users] Re: Ubuntu Bionic - sssd 1.16.1 - kerberos ticket not renewing

On Thu, Nov 01, 2018 at 05:20:57PM +, Jay McCanta wrote: > I have the snippets. May I mail them to you directly. I was trying to > cleanse them, but I'm afraid I'm changing them too much. Yes, sure. ___ sssd-users mailing list --

[SSSD-users] Re: Id vs ldapsearch

On Tue, Nov 06, 2018 at 05:22:52PM -0500, Tom wrote: > Just a general question about the behaviour of sss_cache , is and ldapsearch. > > Id will return say 8 groups and for the same user ldapsearch will return 10. > > Now as long as if returns 8 apps report authentication denied because the >

[SSSD-users] Re: SSSD in AIX

On Mon, Nov 12, 2018 at 03:57:53PM +0530, Ayappan wrote: > Hi, > > I am from AIX OS development team here in IBM. We have some customers > who are interested in running SSSD in AIX. So i basically invested > some amount of time to first build SSSD in AIX. I built the recent > version 1.16.3 after

[SSSD-users] Re: sssd with sudo and non posix groups

On Wed, Nov 14, 2018 at 09:45:23AM -0800, Leonard Lawton wrote: > On 11/14/2018 12:28 AM, Jakub Hrozek wrote: > > On Tue, Nov 13, 2018 at 05:00:56PM -0800, Leonard Lawton wrote: > > > I have a group in ldap(I'm using 389DS) called "_all" which has a > > &g

[SSSD-users] Re: SSSD in AIX

On Mon, Nov 12, 2018 at 05:24:54PM +0530, Ayappan wrote: > On Mon, Nov 12, 2018 at 4:56 PM Jakub Hrozek wrote: > > > > On Mon, Nov 12, 2018 at 03:57:53PM +0530, Ayappan wrote: > > > Hi, > > > > > > I am from AIX OS development team here in IBM. We ha

[SSSD-users] Re: SSSD login delay

On Mon, Nov 12, 2018 at 04:25:30PM -, Jonathan Gray wrote: > Hello, > > We need help debugging this issue. > > For some servers we're experiencing over 10 second delay logging in with IPA > user. > Since the issue isn't present everywhere we're finding it hard to debug. > > > SSSD config

[SSSD-users] Re: sssd with sudo and non posix groups

On Tue, Nov 13, 2018 at 05:00:56PM -0800, Leonard Lawton wrote: > I have a group in ldap(I'm using 389DS) called "_all" which has a > groupofnames object class. Members are stored with the uniquemember > attrtibute. The users in the group are able to login fine via ssh using this > setup. However,

[SSSD-users] Re: ad_access_filter and splitting group listing with backslash

On Fri, Oct 05, 2018 at 12:25:08PM +0200, Michal Židek wrote: > On 09/27/2018 10:55 PM, Tom wrote: > > FYI tested this and though it doesn’t work for ad_access_filter it does for > > the ldap_access_filter . Any reason why one works but not the other? > > Hi, > > I would like to see logs in

[SSSD-users] Re: sssd fails to start when I enable [ifp]

Do you run sssd as root or the unprivileged sssd user? > On 8 Oct 2018, at 15:29, Ondrej Valousek wrote: > > Hi List, > Seems like sssd fails to start when I enable infopipe (i.e. add “ifp” to the > services list). > Log says: > (Mon Oct 8 14:18:08 2018) [sssd[ifp]] [sysbus_init] (0x0020):

[SSSD-users] Re: realm re-join....

> On 8 Oct 2018, at 16:16, Spike White wrote: > > All, > > I had a VM down for a great number of days. Apparently, it was not 30 days. > Because even though it initially didn't correct do AD authentication, I fixed > one misconfiguration in /etc/krb5.conf, restarted SSSD and it did. > >

[SSSD-users] Re: sssd fails to start when I enable [ifp]

As root, i.e. "systemctl start sssd" > Ondrej > > -Original Message- > From: Jakub Hrozek [mailto:jhro...@redhat.com] > Sent: Tuesday, October 09, 2018 10:24 AM > To: End-user discussions about the System Security Services Daemon > > Subject: [SSSD-users] Re: sssd fail

[SSSD-users] Re: sssd.conf sections only work if they reflect existing AD domain, why?

SSSD logs would show this better, but I wonder if this is related to also using the AD domain name in the simple access filter. Do logins work if you use the name of the sssd section there instead of the AD domain name? Or, do the logins work if you comment out the access provider for a test?

[SSSD-users] Re: sssd.conf sections only work if they reflect existing AD domain, why?

> On 31 Aug 2018, at 17:34, Daniele Raffo wrote: > > Hello, > > I'm trying to define two sssd groups in order to assign a different login > shell to AD users belonging to two different AD groups in our domain > FOOBAR.GLOBAL. > However, all users are unable to login and get an error

[SSSD-users] Re: Issues with SSSD cache on version 1.13.4

> On 21 Sep 2018, at 20:36, gfb...@yahoo.com wrote: > > For our case, say we have a set of groups abcd..1, abcd..2 etc, all with the > same GID. I would expect the first lookup (e.g. abcd..1) to put an entry in > the cache. If there is then a lookup by GID, (getent group ) it would > return

[SSSD-users] Re: Issues with SSSD cache on version 1.13.4

On Mon, Sep 24, 2018 at 10:22:35AM -0400, Simo Sorce wrote: > > btw it’s a good question to ask why isn’t the check done on saving > > the group. I thought it was and I see code that checks for ID > > uniqueness and even a test.. > > In current code, saving would override data as if the group was

[SSSD-users] Re: Issues with SSSD cache on version 1.13.4

r > > scenario. > > You're absolutely right that the sssd behaviour you've observed is > inconsistent. Yes, I think it's a bug in SSSD. We should either fail right away or permit the duplicates. Would either of you care to file a bug? :) > > That's why Jakub Hroze

[SSSD-users] Re: Issues with SSSD cache on version 1.13.4

> On 24 Sep 2018, at 20:25, Simo Sorce wrote: > > On Mon, 2018-09-24 at 19:59 +0200, Jakub Hrozek wrote: >> On Mon, Sep 24, 2018 at 10:22:35AM -0400, Simo Sorce wrote: >>>> btw it’s a good question to ask why isn’t the check done on saving >>>> the

[SSSD-users] Re: Understanding sssd cache

On Wed, Jan 16, 2019 at 01:45:35PM +0100, Maupertuis Philippe wrote: > > > > -Message d'origine- > > De : Lukas Slebodnik [mailto:lsleb...@redhat.com] > > Envoyé : mercredi 16 janvier 2019 12:47 > > À : End-user discussions about the System Security Services Daemon > > Objet :

[SSSD-users] Re: Understanding sssd cache

On Wed, Jan 16, 2019 at 03:50:59PM +0100, Maupertuis Philippe wrote: > > > > -Message d'origine----- > > De : Jakub Hrozek [mailto:jhro...@redhat.com] > > Envoyé : mercredi 16 janvier 2019 15:24 > > À : sssd-users@lists.fedorahosted.org > > Objet : [SSSD

[SSSD-users] Re: Sssd and gidNumber

On Wed, Jan 16, 2019 at 05:33:41AM -, Dmitrij S. Kryzhevich wrote: > I have setup with 3 clients and server. Server runs samba as AD and ldap + > kerberos. Clients use sss: 1) fedora with 2.0.0, 2) centos with 1.16.0 and 3) > centos with 1.16.2. All clients use 1:1 sssd.conf. I want sss to

<    4   5   6   7   8   9   10   >