Thanks, that is good to know.
Instead of DNS discovery I went ahead and hard coded the local AD server
(ldap_uri/krb5_server). The server SSSD was using by default was the
primary AD located across a VPN and it was introducing a few second
delay in authentication due to the latency of the
That's true. AD (for some reason) does not populate KDCs _kpasswd services for sites (only for the whole domain). You have to create the
appropriate SRV _kpasswd records manually :-( .
On 09/19/2012 03:35 PM, Michael Cronenworth wrote:
The LDAP and KERBEROS services detected the correct server
Hi List,
Quick question (maybe not the right one for this list). Is there any
alternative for netgroups in Linux?
I mean netgroups are tightly bound to NIS which is insecure piece of crap so I wonder if there is any new alternative which should (can) be
used in any new deployment.
Thanks!
[mailto:sssd-users-boun...@lists.fedorahosted.org] On Behalf Of Dmitri Pal
Sent: Sunday, April 28, 2013 10:17 PM
To: sssd-users@lists.fedorahosted.org
Subject: Re: [SSSD-users] Anyone using sudo with AD?
On 04/28/2013 02:13 PM, Jakub Hrozek wrote:
On Sat, Apr 27, 2013 at 05:56:15AM +, Ondrej
Yes,
I am using nsupdate. So not sure whether the /etc/dhcp/dhcp.keyab would solve
the problem (can I use the -k switch to specify the keytab location?)
That said, I still believe it would be the best to keep all keytabs on the same
location (so sssd could renew them, one day) and use gss-proxy
Suggest upgrading to the latest version of sssd in CentOS and use the AD
provider (man sssd-ad) instead.
You simplify the configuration and it would work :)
-Original Message-
From: sssd-users-boun...@lists.fedorahosted.org
[mailto:sssd-users-boun...@lists.fedorahosted.org] On Behalf
Also, many options from the ldap provider works for ad provider, too - it is a
little secret :)
O.
-Original Message-
From: sssd-users-boun...@lists.fedorahosted.org
[mailto:sssd-users-boun...@lists.fedorahosted.org] On Behalf Of Ondrej Valousek
Sent: Friday, May 03, 2013 4:14 PM
Nope. Keep ldap notation. O.
Odesláno ze Samsung Mobile
Klavs Klavsen k...@vsen.dk napsal:
Ondrej Valousek said the following on 05/03/2013 04:16 PM:
Also, many options from the ldap provider works for ad provider, too - it is
a little secret :)
O.
work - as in setting an ldap_.. setting
Wow! Thanks for implementing features I was calling for few months ago!
It is really highly appreciated :)
Few questions:
- From the man page it is not clear which DNS zone is being used to start the
site discovery. I suppose dns_discovery_domain has to be defined for this
feature to work,
Quick note:
Maybe there is a time to update man nsswitch.conf, too.
Ondrej
Odesláno ze Samsung Mobile
Původní zpráva
Od: Michael Ströder mich...@stroeder.com
Datum:
Komu: sssd-users@lists.fedorahosted.org
Předmět: Re: [SSSD-users] Not finding /usr/lib64/libsss_sudo.so on
PM
To: End-user discussions about the System Security Services Daemon
Subject: Re: [SSSD-users] sssd, autofs and active directory
On 16/09/13 17:08, Rowland Penny wrote:
On 16/09/13 16:53, Ondrej Valousek wrote:
Strange, which version of sssd are you running? SSSD Autofs AD
works for granted
: Wednesday, September 18, 2013 9:46 AM
To: End-user discussions about the System Security Services Daemon
Cc: Ondrej Valousek
Subject: Re: [SSSD-users] sssd, autofs and active directory [SOLVED]
On 18/09/13 07:59, Ondrej Valousek wrote:
Hmmm,
Looks like a bug in 1.10?
My search looks different
Question:
Is it possible to extend AD schema (and if yes, how?) so it can store Sudo
rules for SSSD?
If yes, the I would be very interested as well.
Ondrej
From: sssd-users-boun...@lists.fedorahosted.org
[sssd-users-boun...@lists.fedorahosted.org] on
Great. could you share with us the procedure you used to extend AD schema?
Thanks, a lot.
Ondrej
From: sssd-users-boun...@lists.fedorahosted.org
[sssd-users-boun...@lists.fedorahosted.org] on behalf of Rowland Penny
[repenny241...@gmail.com]
Sent: Monday,
Hi all,
I just used sssd in F19 and it does not seem to work with AD. The same config
works fine with Centos 6 (sssd 1.9.2). Here is the log:
[be_get_account_info] (0x0100): Got request for [4097][1][name=ovalousek]
(Tue Oct 8 19:17:18 2013) [sssd[be[default]]] [sdap_idmap_add_domain]
-boun...@lists.fedorahosted.org] on behalf of Ondrej Valousek
Sent: Wednesday, October 09, 2013 1:25 AM
To: sssd-users@lists.fedorahosted.org
Subject: [SSSD-users] sssd 1.11 (F19) AD not working
Hi all,
I just used sssd in F19 and it does not seem to work with AD. The same config
works fine
Hi List,
Looks like the AD provider in sssd honors sAMAccountname attribute instead of
the 'uid' (which is more in line with the RFC2307).
Is this intentional or a bug?
Thanks,
Ondrej
___
sssd-users mailing list
sssd-users@lists.fedorahosted.org
To: sssd-users@lists.fedorahosted.org
Subject: Re: [SSSD-users] AD provider uses wrong user attribute?
On Fri, Nov 01, 2013 at 09:36:05AM +, Ondrej Valousek wrote:
Hi List,
Looks like the AD provider in sssd honors sAMAccountname attribute instead of
the 'uid' (which is more in line
-boun...@lists.fedorahosted.org] On Behalf Of Rowland Penny
Sent: Friday, November 01, 2013 11:13 AM
To: End-user discussions about the System Security Services Daemon
Subject: Re: [SSSD-users] AD provider uses wrong user attribute?
On 01/11/13 10:00, Ondrej Valousek wrote:
Yes it is guaranteed
Security Services Daemon
Subject: Re: [SSSD-users] AD provider uses wrong user attribute?
On 01/11/13 11:21, Ondrej Valousek wrote:
In ADUC, if you tick on User Unix attributes and populate it, uid is
automatically set on.
Not sure if Samba even populates RFC attributes - guess you need to use
...@lists.fedorahosted.org] on behalf of Michael Ströder
[mich...@stroeder.com]
Sent: Friday, November 01, 2013 3:32 PM
To: End-user discussions about the System Security Services Daemon
Subject: Re: [SSSD-users] AD provider uses wrong user attribute?
Ondrej Valousek wrote:
Both directories (AD Samba
Hi List,
Is there any plan how to deal with hostnames 16 chars long? I do not know how
about IPA, but AD seems to have a problem joining such machines due to some
historical NETBIOS dependency.
Please advise - currently I am renaming machines for shorter names which is far
from being ideal.
, Ondrej Valousek wrote:
Hi List,
Is there any plan how to deal with hostnames 16 chars long? I do not know
how about IPA, but AD seems to have a problem joining such machines due to
some historical NETBIOS dependency.
Please advise - currently I am renaming machines for shorter names which
Sender: sssd-users-boun...@lists.fedorahosted.org
On-Behalf-Of: ovalou...@vendavo.com
Subject: Re: [SSSD-users] kinit: Client not found in Kerberos database
Message-Id: 1B2E2C093FF3B7459F3C605C42E4B5040DFAAED6@exmb1
Recipient: cklopotow...@crabel.com
---BeginMessage---
You also do not need to have
Try
man sssd-ldap
things like ldap_user_object_class etc
Simply yes, sssd supports custom attribute mapping.
O.
From: sssd-users-boun...@lists.fedorahosted.org
[sssd-users-boun...@lists.fedorahosted.org] on behalf of Jason Voorhees
Hi List,
Is anyone using kerberized nfs with sssd on F-19?
On my box systemd automatically stops nfs-secure service in spite of the fact
it is enabled. I have to re-start it manually after reboot.
It is probably some issue with systemd, but I thought I will give it a try and
ask here before
)
Komu: End-user discussions about the System Security Services Daemon
Předmět: Re: [SSSD-users] Anyone using Kerberized nfs with sssd?
On Thu, 2014-01-09 at 17:09 +, Ondrej Valousek wrote:
Me too, but nfs-secure is dead after system restart. Will sink into the logs
to find out.
So is rpc.gssd
That was me.
Yes, autofs works with sssd having AD backend (and using RFC2307 schema).
No blushing.
From: sssd-users-boun...@lists.fedorahosted.org
[sssd-users-boun...@lists.fedorahosted.org] on behalf of Chris Gray
[fat...@gmail.com]
Sent: Thursday, January 30,
Host 54.8.80.10.in-addr.arpa. not found: 3(NXDOMAIN)
Best
longina
From: sssd-users-boun...@lists.fedorahosted.org
[mailto:sssd-users-boun...@lists.fedorahosted.org] On Behalf Of Ondrej Valousek
Sent: 30. januar 2014 14:38
To: End-user discussions about the System Security Services Daemon
Subject
Got it.
You need to use short hostname - i.e. hostname should return only client, not
client.domain.org.
O.
From: sssd-users-boun...@lists.fedorahosted.org
[sssd-users-boun...@lists.fedorahosted.org] on behalf of Ondrej Valousek
Sent: Tuesday, February 11, 2014
-user discussions about the System Security Services Daemon
Předmět: Re: [SSSD-users] sssd-1.11.1 Saucy automount(nfs4+krb problem)
On Tue, 2014-02-11 at 17:27 +, Ondrej Valousek wrote:
Got it.
You need to use short hostname - i.e. hostname should return only client,
not client.domain.org
Well not exactly.
rpc.gssd (i.e. NFS client side) does need a TGT. Kerberized NFS server (i.e.
rpc.svcgssd) is just happy with the ServicePrincipal.
Historically, rpc.gssd only supported nfs/fqdn UserPrincipal names. Later on,
someone from nfs-utils maintainers noticed that some people use
: Wednesday, February 19, 2014 7:35 PM
To: End-user discussions about the System Security Services Daemon
Subject: Re: [SSSD-users] sssd-1.11.1 Saucy automount(nfs4+krb problem)
On Wed, 2014-02-19 at 15:04 +, Ondrej Valousek wrote:
Hi Simo,
I are you getting on about this with Steve
Hi Jakub,
Great news, I have questions:
1. If we use AD as the sudo provider, does it mean the same ldap schema is
expected for sudo rules? If yes, it would mean system admin would have to
extend the AD schema to accommodate the SUDO needs, right?
2. Is something similar possible with the
...@redhat.com]
Sent: Wednesday, April 09, 2014 6:58 PM
To: sssd-users@lists.fedorahosted.org
Subject: Re: [SSSD-users] Announcing SSSD 1.11.5
On Wed, Apr 09, 2014 at 01:03:38PM +, Ondrej Valousek wrote:
Hi Jakub,
Great news, I have questions:
1. If we use AD as the sudo provider, does it mean
SSSD 1.11.5
On Thu, Apr 10, 2014 at 08:28:21AM +, Ondrej Valousek wrote:
Thanks Jakub,
Is the link to the schema mentioned somewhere? I can not find it on the wiki
page of the project.
As of the automounter, I would vote for using RFC2307 automounter schema when
dealing with the AD.
I.e
One minor thing (not sure if worth mentioning): When installing IDMU on windows
server, it is quite useful to stop disable the server for NIS service - it
is not needed for the sssd functionality (not mentioning the security issues
related to using NIS).
Ondrej
-
From: sssd-users-boun...@lists.fedorahosted.org
[mailto:sssd-users-boun...@lists.fedorahosted.org] On Behalf Of Ondrej Valousek
Sent: 10. april 2014 10:28
To: End-user discussions about the System Security Services Daemon
Subject: Re: [SSSD-users] Announcing SSSD 1.11.5
Thanks Jakub,
Is the link
?
Longina
-Original Message-
From: sssd-users-boun...@lists.fedorahosted.org
[mailto:sssd-users-boun...@lists.fedorahosted.org] On Behalf Of Ondrej Valousek
Sent: 17. april 2014 10:47
To: End-user discussions about the System Security Services Daemon
Subject: Re: [SSSD-users] Announcing SSSD
Hi List,
Sorry for the bit OT question.
How do I enable gssproxy on F20? When I enable USE_GSSPROXY in
/etc/sysconfig/nfs and
systemctl start nfs-secure, rpc.gssd is started instead :(
Same story in CentOS 7
Thanks,
Ondrej
___
sssd-users mailing list
Ok, thanks for clarification
rpc.gssd is the *client* component of NFS, abd is used in
conjunction with gssproxy (you still need to change /etc/gss/mech
for it to work in F20, in the future that will not be necessary
anymore).
Yes, the client is important for me now - I thought gssproxy is
Hi List,
I am experiencing a strange error with sssd-1.11.6-30 on RHEL-6 machine it
produces error:
(Wed Apr 29 12:05:02 2015) [sssd[be[default]]] [sdap_get_generic_ext_done]
(0x0040): Unexpected result from ldap: Referral(10), 202B: RefErr:
DSID-03100742, data 0, 1 access points
Hi List,
Just trying to make sssd working in the diskless environment. As such, I need
to create Kerberos keytab on non-standard location:
Krb5.conf:
[libdefaults]
default_keytab_name = /var/lib/sss/krb5.keytab
But when I try to join domain via net -d 10 ads join, I get this:
: Thursday, April 30, 2015 11:40 AM
To: End-user discussions about the System Security Services Daemon
Subject: Re: [SSSD-users] net ads join custom keytab
On Thu, 30 Apr 2015, Ondrej Valousek wrote:
Just trying to make sssd working in the diskless environment. As such,
I need to create
[mailto:sssd-users-boun...@lists.fedorahosted.org] On Behalf Of John Hodrien
Sent: Thursday, April 30, 2015 11:54 AM
To: End-user discussions about the System Security Services Daemon
Subject: Re: [SSSD-users] net ads join custom keytab
On Thu, 30 Apr 2015, Ondrej Valousek wrote:
Yes, I am using
+1 here.
I can also confirm that several services (Cadence, are you listening??) depend
on enumeration so we need preserve this functionality - but I agree that
relying on enumeration is a bad habit which should be avoided.
Ondrej
-Original Message-
From:
Forgot it, I have it already.
It was a typo in the nismapname attribute value.
Works OK now - sorry for the noise...
Ondrej
-Original Message-
From: sssd-users-boun...@lists.fedorahosted.org
[mailto:sssd-users-boun...@lists.fedorahosted.org] On Behalf Of Ondrej Valousek
Sent: 23 June
I believe recent version of MIT Kerberos library is not picky regarding the
A/PTR match anymore.
-Original Message-
From: sssd-users-boun...@lists.fedorahosted.org
[mailto:sssd-users-boun...@lists.fedorahosted.org] On Behalf Of Jakub Hrozek
Sent: 25 June 2015 10:28
To:
Hi List,
I am experiencing a strange issue with sssd not being able to deliver certain
maps to the automounter from the AD backend.
It can deliver keys to auto.home, auto.appli,... but not to auto.cadappl map:
(Tue Jun 23 08:54:04 2015) [sssd[autofs]] [sss_autofs_cmd_setautomntent]
(0x0400):
about the System Security Services Daemon
Subject: Re: [SSSD-users] Problem with automount
On (23/06/15 08:27), Ondrej Valousek wrote:
Hi List,
I am experiencing a strange issue with sssd not being able to deliver certain
maps to the automounter from the AD backend.
It can deliver keys to auto.home
Hi list,
I have spotted a strange issue with SSSD on Ubuntu 14.04 when using sssd to
provide maps for automounter. When I start the machine with completely clean
SSSD cache (rm -rf /var/lib/sssd/db/*, reboot), I can not login.
The only fix is to restart automounter try again.
Funny thing is,
/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/sssd-ad-integration.html
section 2.3.3, discusses SSSD, AD and Sites.
If you have configured DNS sites in AD, then you should be getting back a
primary and back DC for your site.
Best,
Frank
On Tue, Jun 30, 2015 at 10:19 AM, Ondrej Valousek
ondrej.valou
Hi List,
Facing another issue on RHEL-6. After server reboot, the sssd is unable to go
online. Messages like:
(Fri Jul 3 06:13:36 2015) [sssd[be[default]]] [be_run_online_cb] (0x0080):
Going online. Running callbacks.
(Fri Jul 3 06:13:42 2015) [sssd[be[default]]] [fo_resolve_service_timeout]
...@lists.fedorahosted.org] On Behalf Of Jakub Hrozek
Sent: 03 July 2015 10:55
To: sssd-users@lists.fedorahosted.org
Subject: Re: [SSSD-users] AD site recognition with sssd version 1.11.5
On Fri, Jul 03, 2015 at 08:15:47AM +, Ondrej Valousek wrote:
Hi Frank,
Yes, that would work, indeed. The thing
Is it because there is no /home mounted?
Yes, it is because home directory is not mounted.
The only fix is to restart automounter try again.
Sounds like automounter starts before sssd does
Well that's what I thought it could be - the thing is that it after all
subsequent reboots it just
Sites won't help here because of 2 reasons:
1. You start up the AD site discovery process sequentially connecting to ALL
DCs that are registered in SRV. This has to be done this way as you do not know
yet to which site you belong to.
If the random DC you pick up responds, you're lucky and you
Did not try the variable expansion for ages, but it definitely works with maps
in NIS.
Also, did you consider using asterisk (*) for autofs maps expansion? It works
perfectly, even with ldap/sssd.
But as Jakub said - this has nothing to do with sssd, this is just
automounter-specific thing.
Hi folks,
I have just found out that when I try to use sss_cache against some item which
is in negative cache (i.e. not found) it does not work.
Is this expected behavior?
I would expect negative cache is cleared, sssd attempts to go online and get
current result.
Thanks,
Ondrej
-
The
@lists.fedorahosted.org
Subject: Re: [SSSD-users] autofs will not find auto.master in LDAP
On 08/18/2015 03:55 AM, Ondrej Valousek wrote:
Did not try the variable expansion for ages, but it definitely works with
maps in NIS.
Also, did you consider using asterisk (*) for autofs maps expansion
Hi folks,
Just testing the ad_site option in sssd.conf - how is this supposed to work?
Which syntax is it taking? Long DNS path or just site name?
For me, it does not seem to work at all - sssd happily connect to DCs outside
of the specified site.
Ondrej
-
The information contained in
syntax
On 08/20/2015 11:02 AM, Ondrej Valousek wrote:
Hi folks,
Just testing the ad_site option in sssd.conf – how is this supposed to work?
Which syntax is it taking? Long DNS path or just site name?
For me, it does not seem to work at all – sssd happily connect to DCs outside
of the specified
Hi List,
I am just trying to run sssd on Ubuntu 14.04 and it seems to be unable to
detect the proper AD site it belongs to.
The thing is, that in order to detect the proper site, it needs to connect to
some (random) AD controller first.
In our scenario, the box is only allowed to connect to the
...@lists.fedorahosted.org
[mailto:sssd-users-boun...@lists.fedorahosted.org] On Behalf Of Lukas Slebodnik
Sent: 30 June 2015 17:11
To: End-user discussions about the System Security Services Daemon
Subject: Re: [SSSD-users] AD site recognition with sssd version 1.11.5
On (30/06/15 14:19), Ondrej Valousek wrote:
Hi
Hi,
You are most probably using numeric UIDs in nfs upcalls (i.e. not using ID
mapper).
Whilst this is quite OK with auth_sys (well..., it is not documented, but say,
silently accepted), with auth_gss it is forbidden.
Make sure ID mapper correctly configured on both sides (client and server) and
Hi List,
We I know I am probably crying at the wrong grave - but I'll give it a try
anyway :):
Does anyone know if I can somehow prevent new users from logging in to a
certain machine? We have a logon server here with SSSD which needs a
maintenance.
I know there is pam_nologin, but I still
/07/15 14:07), Ondrej Valousek wrote:
Well, can we use HBAC with AD backend?
Don’t think so….
You can use GPO with recent version of sssd.
LS
But you can also use the basic LDAP based access control that relies on a
filter.
See sssd-ldap. Search for filter. There are some restrictions though
logging in
On 07/16/2015 06:07 AM, Ondrej Valousek wrote:
Hi List,
We I know I am probably crying at the wrong grave – but I’ll give it a try
anyway ☺:
Does anyone know if I can somehow prevent new users from logging in to a
certain machine? We have a logon server here with SSSD which needs
On Tue, Jul 21, 2015 at 09:08:21AM +, Ondrej Valousek wrote:
OT:
How comes sudo even works with the AD provider?? You need to extend AD schema
right?
Thanks,
Yes:
https://jhrozek.wordpress.com/2014/07/21/add-sudo-rules-to-active-directory-and-access-them-with-sssd
Hi list,
I have a question regarding Kerberos cache refresh. My observation is, that
normally sssd refreshes my cache just fine, but if I create Kerberos cache
manually using kinit like this:
$ ssh root@remote_machine
Remote_machine # su - Ondrej
Remote_machine $ kinit Ondrej
... my cache is
To: sssd-users@lists.fedorahosted.org
Subject: Re: [SSSD-users] SSSD & Kerberos renewal
On Thu, Nov 05, 2015 at 12:46:25PM +0000, Ondrej Valousek wrote:
> Hi,
>
> Thanks for clarification - so SSSD keeps a database of user principals - if
> only rpc.gssd did the same :(
>
Hi all,
Just put together few findings about kerberized NFS & AD. See here:
https://ovalousek.wordpress.com/2015/10/15/enable-kerberized-nfs-with-sssd-and-active-directory/
Ondrej
-
The information contained in this e-mail and in any attachments is confidential
and is designated solely
berized nfs
On 20 October 2015 at 14:53, Ondrej Valousek <ondrej.valou...@s3group.com>
wrote:
> Do you have the SPNs properly configured? As per the document.
> Thing is that if you have more servers behind a single A record, RH-6 is not
> going to work (details? see the document).
Of John Hodrien
Sent: 20 October 2015 15:29
To: End-user discussions about the System Security Services Daemon
<sssd-users@lists.fedorahosted.org>
Subject: Re: [SSSD-users] SSSD & AD & Kerberized nfs
On Tue, 20 Oct 2015, Ondrej Valousek wrote:
> Will add this to my document,
hosted.org] On Behalf Of John Hodrien
Sent: 20 October 2015 15:07
To: End-user discussions about the System Security Services Daemon
<sssd-users@lists.fedorahosted.org>
Subject: Re: [SSSD-users] SSSD & AD & Kerberized nfs
On Tue, 20 Oct 2015, Ondrej Valousek wrote:
> Hi all
...@lists.fedorahosted.org] On Behalf Of John Beranek
Sent: 20 October 2015 14:23
To: End-user discussions about the System Security Services Daemon
<sssd-users@lists.fedorahosted.org>
Subject: Re: [SSSD-users] SSSD & AD & Kerberized nfs
On 20 October 2015 at 12:33, Ondrej Valousek <ondrej.valou...@s3
-users@lists.fedorahosted.org
Subject: Re: [SSSD-users] sssd fails - too many open files
On (27/08/15 08:42), Ondrej Valousek wrote:
Hi list,
I have a problem with sssd is unable to authenticate anyone.
In logs I see:
(Thu Aug 27 08:52:56 2015) [sssd[be[default]]] [krb5_auth_done]
(0x0020): child
Hi list,
I have just discovered that there is a race condition when we put /var/lib/sssd
on NFSv4 volume (such as in diskless boot scenario).
System tends to hang randomly.
Is there any solution to this?
Only cure seems to me at the moment to mount it via NFSv3 which does not
require idmapper.
Ok found the problem.
I do not know why, but SSSD seems to be bit picky about /etc/krb5.conf:
Non working one:
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = false
ticket_lifetime = 24h
Hi List,
I am using sssd 1-12-4 (last one in RHEL-6) and I am suffering a strange
problem:
User is member of group A which is nested into group B.
Now, sometimes it happens that "id -a" only shows membership in group A, but
not B. Happens only sometimes.
Do we know?
Thanks,
Ondrej
-
The
tput is attached.
On 25 September 2015 at 15:53, Ondrej Valousek
<ondrej.valou...@s3group.com<mailto:ondrej.valou...@s3group.com>> wrote:
Hmm, very strange. Should work.
Could you paste output of ‘ldapsearch –h –b
(objectclass=*)’ – might need to add few params to get the ldif
ration problem
On (05/10/15 08:08), Ondrej Valousek wrote:
>Thing is that .5 is not in the official repo yet :(
>
You mentioned that you are using the latest 1.12.4 in rhel6.
I assume it is 1.12.4-47.el6. (It's better to every time mentions full version
in report) Is it
+0100, John Hodrien wrote:
> On Fri, 18 Sep 2015, Ondrej Valousek wrote:
>
> >Nope,
> >See the last sentence:
> >"When connected to Active-Directory Server 2008 and later it is
> >furthermore required to disable usage of Token-Groups by setting
> >ldap_use_
Hi List,
Man sssd-ldap says:
"
If ldap_group_nesting_level is set to 0 then no nested groups are processed at
all. However, when connected to
Active-Directory Server 2008 and later it is furthermore
required to disable usage of Token-Groups by setting
lf Of John Hodrien
Sent: 18 September 2015 10:29
To: End-user discussions about the System Security Services Daemon
<sssd-users@lists.fedorahosted.org>
Subject: Re: [SSSD-users] kerberized nfs4 with sssd id mapping
On Fri, 18 Sep 2015, Ondrej Valousek wrote:
> Hold on,
> You should not
>
Subject: Re: [SSSD-users] Tokengroups usage
On Fri, 18 Sep 2015, Ondrej Valousek wrote:
> Hi List,
>
> Man sssd-ldap says:
> "
> If ldap_group_nesting_level is set to 0 then no nested groups are
> processed at all. However, when connected to Active-Directory Server
>
Hi List,
I am running into problem with pam_sss. It is unable to authenticate user
against AD via Kerberos.
Log files:
Sssd_default.log
(Thu Sep 24 14:14:16 2015) [sssd[be[default]]] [krb5_auth_send] (0x0100): No
ccache file for user [ondrejv] found.
(Thu Sep 24 14:14:16 2015)
Ok,
Try to add:
ldap_sasl_mech = GSSAPI
let me know if it helps.
Ondrej
From: sssd-users-boun...@lists.fedorahosted.org
[mailto:sssd-users-boun...@lists.fedorahosted.org] On Behalf Of Fabien CARRE
Sent: Thursday, September 24, 2015 3:26 PM
To: sssd-users@lists.fedorahosted.org
Subject:
ler] (0x0200): Requested refresh for: auto.master
(Fri Sep 25 10:07:46 2015) [sssd[autofs]] [getautomntent_process] (0x0080): No
entries found
On 25 September 2015 at 09:32, Ondrej Valousek
<ondrej.valou...@s3group.com<mailto:ondrej.valou...@s3group.com>> wrote:
Ok,
Try to add:
ldap
To me, it works just fine. Detects auto.master and even auto.home.
What does “automount –m” say?
O.
From: sssd-users-boun...@lists.fedorahosted.org
[mailto:sssd-users-boun...@lists.fedorahosted.org] On Behalf Of Fabien CARRE
Sent: Friday, September 25, 2015 1:39 PM
To: End-user discussions about
: Friday, September 25, 2015 12:01 PM
To: End-user discussions about the System Security Services Daemon
<sssd-users@lists.fedorahosted.org>
Subject: Re: [SSSD-users] Problem authenticating user
On Fri, Sep 25, 2015 at 10:30:51AM +, Ondrej Valousek wrote:
> Here is the krb5_child.log:
mp map information
===
global options: none configured
no master map entries found
On 25 September 2015 at 15:00, Ondrej Valousek
<ondrej.valou...@s3group.com<mailto:ondrej.valou...@s3group.com>> wrote:
To me, it works just fine. Detects auto.master and even auto
isplus
automount: files sss
aliases:files nisplus
#
#/etc/auto.master
#
+auto.master
On 25 September 2015 at 15:44, Ondrej Valousek
<ondrej.valou...@s3group.com<mailto:ondrej.valou...@s3group.com>> wrote:
Ok, pls attach /etc/nsswitch.conf and /etc/auto.master, too.
O.
From
g] On Behalf Of Lukas Slebodnik
Sent: Friday, September 25, 2015 9:14 AM
To: End-user discussions about the System Security Services Daemon
<sssd-users@lists.fedorahosted.org>
Subject: Re: [SSSD-users] Problem authenticating user
On (24/09/15 18:04), Sumit Bose wrote:
>On Thu, Sep 24, 20
cache renewal question
On Thu, Dec 03, 2015 at 10:18:01AM +, Ondrej Valousek wrote:
> Hi List,
>
> Question:
> If I do:
> Service sssd stop
> Rm -rf/var/lib/sssd/db/*
> Service sssd start
>
>
> - Will SSSD forget about users logged to the system
sd-users@lists.fedorahosted.org>
> Subject: [SSSD-users]Re: newgrp problem
>
> On Wed, 2 Dec 2015, Ondrej Valousek wrote:
>
>> Hi List,
>>
>> I have a strange problem with newgrp. Machine is running SSSD, user U is
>> member of groups G1,G2,G3.
>> 'id -a U'
Hi,
Thanks for that - is it possible to get a list of bug fixes & new feature sets
introduced in this version compared to the latest available in RH 6 official
repo (i.e. 1.12.4)?
Thanks,
Ondrej
-Original Message-
From: Jakub Hrozek [mailto:jhro...@redhat.com]
Sent: Thursday, December
Hrozek [mailto:jhro...@redhat.com]
Sent: Thursday, December 03, 2015 9:49 AM
To: sssd-users@lists.fedorahosted.org
Subject: [SSSD-users]Re: newgrp problem
On Thu, Dec 03, 2015 at 08:42:56AM +, Ondrej Valousek wrote:
> No. I do not.
> The only help seems to be:
> # service sssd stop
&
Hi List,
Question:
If I do:
Service sssd stop
Rm -rf/var/lib/sssd/db/*
Service sssd start
- Will SSSD forget about users logged to the system so far so it will
no longer refresh their credential cache?
Thanks,
Ondrej
-
The information contained in this e-mail and in any
Hi List,
I have a strange problem with newgrp. Machine is running SSSD, user U is member
of groups G1,G2,G3.
'id -a U' shows correctly membership G1,G2,G3
Now command 'newgrp G1' completes successfully for him, but command 'newgrp G2'
prompts for password.
Any other user, member of the same
You can use ad for sudo_provider, but not for autofs - not yet :).
BTW: the fix proposed earlier works indeed, specifying ldap_server explicitly
disables SRV lookups.
O.
From: Andy Airey [airey.a...@gmail.com]
Sent: Tuesday, December 01, 2015 6:08 PM
To: End-user
1 - 100 of 204 matches
Mail list logo
