[SSSD-users] Re: ldap_access_filter ignored for some users

On Mon, May 18, 2020 at 03:53:15PM +, Sajesh Singh wrote: > If there were no PAM requests then what could be triggering SSSD to do the > lookup that I see in the logs? > > -Sajesh- Oh, sorry, you're right, there is pam_print_data also in the second snippet. What log level was this gathered w

[SSSD-users] Re: ldap_access_filter ignored for some users

On Mon, May 18, 2020 at 01:29:49PM +, Sajesh Singh wrote: > Jakub, >Both of the logins were via a web application that uses the underlying PAM > subsystem on the server. Then you should look into the pam responder logs, too, because the back end logs show no PAM request. _

[SSSD-users] Re: ldap_access_filter ignored for some users

On Fri, May 15, 2020 at 05:07:30PM +, Sajesh Singh wrote: > CentOS 7.8 > SSSD 1.16.4 > > Having a strange issue where the ldap_access_filter seems to be applied to > some users and not others when they are both logging into the same > application that is using the underlying OS PAM configura

[SSSD-users] Re: restrict sudo su -

On Fri, Jan 17, 2020 at 11:23:25AM +0100, Pavel Březina wrote: > On 1/17/20 8:40 AM, Jannis Mann wrote: > > Hi, > > I've implemented sssd with id, auth and access provider as ldap. So I am > > using a binding account and didn't joined the domain with the server. > > > > In general everything works

[SSSD-users] Re: Pros/cons of access_provider=ad + access.conf file vs access_provider=simple?

On Wed, Dec 04, 2019 at 09:58:00AM -0600, Spike White wrote: > Sssd experts, > > We have an AD-based sssd configuration that is working. For RHEL6, 7 and 8. > > We've done thorough lab testing + pilot projects. All good (with certain > RHEL6 restrictions). > > Currently, we're using access_pro

[SSSD-users] Re: Enumerate users from external group from AD trust

On Tue, Nov 26, 2019 at 01:03:39PM -0500, John Desantis wrote: > Jakub, > > > > Is the functionality in question only available for IPA masters? > > > > It shouldn't be and I'm seeing the users also on a client. I don't > > remember if there was ever a bug in the client portion, I guess > > lookin

[SSSD-users] Re: Debian10 and self-signed cert

On Tue, Nov 19, 2019 at 09:38:55AM +0200, Todor Petkov wrote: > Hello, > > I am trying to configure sssd authentication on Debian 10.2, sssd > 1.16.3, against 389-ds with self-signed certificate. > > In /etc/sssd/sssd.conf I have the line "ldap_tls_reqcert = never" > line, but when I start sssd m

[SSSD-users] Re: Enumerate users from external group from AD trust

On Thu, Nov 14, 2019 at 10:10:20AM -0500, John Desantis wrote: > Jakub, > > > This is confusing because the enumerate word is overloaded :-) > > Ha! Agreed. > > > What is not supported and I guess won't be is "getent passwd" or "getent > > group" to get all objects from AD. > > I definitely ag

[SSSD-users] Re: Enumerate users from external group from AD trust

On Wed, Nov 13, 2019 at 10:35:46AM -0500, John Desantis wrote: > Hello all, > > Apologies for the necromancy here, but there seems to be conflicting > information regarding group enumeration within an IPA AD Trust, > specifically, these tidbits: > > > > >>> ad_users is an IPA group that conta

[SSSD-users] Re: Any way to get sssd to ignore gidNumber (Posix attribute) when auto_private_group set to true?

On Tue, Nov 05, 2019 at 09:00:44PM -0600, Spike White wrote: > All, > > We're replacing a commercial product that ignores whatever GID is used in > gidNumber posix attribute, when auto_private_groups is set to true. > > However, we find in sssd that even when we set auto_private_groups = True, >

[SSSD-users] Re: sssd-session-recording

On Tue, Oct 22, 2019 at 12:51:27PM +, MAUPERTUIS, PHILIPPE wrote: > Hi list, > With Redhat 8 come tlogs for session recording. > It seems a promising tool to comply with PCI DSS requirement 10.2 which > requires Monitoring of all actions taken by any individual with root or > administrative p

[SSSD-users] Re: autofs with samba AD

On Fri, Sep 27, 2019 at 01:05:17PM +0200, w...@mailbox.org wrote: > > > Jakub Hrozek hat am 27. September 2019 um 09:55 > > geschrieben: > > > > > > On Fri, Sep 27, 2019 at 09:34:42AM +0200, w...@mailbox.org wrote: > > > > > >

[SSSD-users] Re: autofs with samba AD

On Fri, Sep 27, 2019 at 09:34:42AM +0200, w...@mailbox.org wrote: > > > Jakub Hrozek hat am 26. September 2019 um 14:52 > > geschrieben: > > > > > > On Tue, Sep 24, 2019 at 01:21:45PM +0200, w...@mailbox.org wrote: > > > Hello list, > > > I

[SSSD-users] Re: autofs with samba AD

On Tue, Sep 24, 2019 at 01:21:45PM +0200, w...@mailbox.org wrote: > Hello list, > I'm trying to setup sssd to access automounter rules stored on an AD (samba > 4.7.6). > I followed the instructions on this site, however it doesn't work for me. > https://ovalousek.wordpress.com/2015/08/03/autofs/

[SSSD-users] Re: Offline caching of group names and memberships?

On Wed, Sep 25, 2019 at 06:25:06PM -0500, Spike White wrote: > Yes, true statement. > > We also do not own AD -- only the Linux builds. The AD admins insist on > camel-case for group names and user names. > > Yes, AD and Windows are case-insensitive. But Linux and Kerberos are not. > > I know

[SSSD-users] Re: sssd-krb5, krb5_ccachedir, DIR-cache-store...

On Sun, Sep 22, 2019 at 04:16:58PM -, Jostein Fossheim wrote: > We are working with several kerberos-REALMS and are trying to get our clients > to store their kerberos tickets in a DIRECTORY. This seems to work nicely for > clients not authenticating at login, with the following configuration

[SSSD-users] Re: Questions about the PAC responder

On Wed, Sep 18, 2019 at 06:25:31PM -0700, Jim Burwell wrote: > Hi, > > I recently encountered issues where logins on Linux clients using SSSD > and the AD provider, pointed directly to an AD server were randomly > slow.  Randomly meaning, some clients experienced no slowness at all, > other client

[SSSD-users] Re: [AD] Filter out disabled users

On Wed, Sep 11, 2019 at 09:04:40PM +0200, Hinrikus Wolf wrote: > Hi, > > that's actually what we tried: > > > > [sssd] > > domains = fsmpi.rwth-aachen.de > > config_file_version = 2 > > services = nss, pam > > > > [pam] > > offline_credentials_expiration = 1 > > offline_failed_login_attempts

[SSSD-users] Re: another ubuntu 18 sssd issue: cron

la. But I completely trust the glibc developers that this is non-trivial. On Thu, Aug 29, 2019 at 01:43:07PM +, Charles Hedrick wrote: > Cute. I wondered why the problem didn’t happen on Centos. That explains it, > but wasn’t at all the explanation I was expecting. > > On Aug 26

[SSSD-users] Re: Group disappears from users / no group name gets resolved

On Mon, Aug 26, 2019 at 04:25:38PM -, Jamal Mahmoud wrote: > Hi Jakub, > > I've managed to catch the error again with my own machine so this time i've > had time to properly capture the issue. I've been looking into the logs and > what seems to be happening is that we have multiple AD Domain

[SSSD-users] Re: another ubuntu 18 sssd issue: cron

On Mon, Aug 26, 2019 at 01:37:43PM +, Charles Hedrick wrote: > After converting a system to sssd with an IPA backend, we found that cron was > not recognizing our users. It appears (based on using lsof to see what .so > files are open) that cron is reading nsswitch.conf at startup, and doesn’

[SSSD-users] Re: Patch for sssd to fix recursion problems with Winbind (Samba Bug #13815)

On Fri, Aug 23, 2019 at 03:46:54PM +0200, Heiko Wundram wrote: > Hello list, > > for a deployment I'm administering, I'm using winbind and sssd in parallel, > both for different authentication sources (so it's not about their > interoperability, but rather about using them in parallel). It seems t

[SSSD-users] Re: Group disappears from users / no group name gets resolved

On Thu, Aug 22, 2019 at 11:11:18AM -, Jamal Mahmoud wrote: > We've been experiencing an intermittent issue relating to SSSD v1.15.2, we > are running CentOS7.4 on our workstations. We use SSSD to communicate with > our Active Directory to pull users for auth. The majority of users have a > c

[SSSD-users] Re: Problem getting sssd to work with LDAP authentication

On Mon, Aug 12, 2019 at 07:21:15PM -, Jane Eason wrote: > We do not have the uid number in LDAP. > > In our LDAP uid is the username, so LDAP has e.g. uid=bob. There is a local > Linux user named "bob" as well (we are not creating accounts on login). > > We thought we could get around havi

[SSSD-users] Re: Problem getting sssd to work with LDAP authentication

On Fri, Aug 09, 2019 at 08:33:43PM -, Jane Eason wrote: > Our LDAP does not include the POSIX schema, so we made a couple of entries in > sssd.conf to attempt to work around that. > > Here is our complete (slightly redacted) sssd.conf: > > [domain/mydomain] > id_provider = ldap > auth_provid

[SSSD-users] Re: [AD] Filter out disabled users

On Sun, Jul 21, 2019 at 06:08:18PM +0200, Hinrikus Wolf wrote: > Hi, > > we are currently running a Samba AD DC Server with sssd on clients. Now > we want to run sssd also on our mail server with postfix + dovecot. > Postfix and dovecot get their users from NSS i.e. from sssd. > In our Domain ther

[SSSD-users] Re: override_gid not applying to trusted/parent AD domains when joined via child

On Thu, Aug 08, 2019 at 02:31:32PM -0400, Josh Snyder wrote: > On Thu, Aug 8, 2019 at 2:05 PM Sumit Bose wrote: > > > On Thu, Aug 08, 2019 at 01:25:08PM -0400, Josh Snyder wrote: > > > Hi All, > > > > > > I'm working in a proof of concept for a customer where I've been asked to > > > join the chi

[SSSD-users] Re: socket activated services and "implicit" sssd.conf?

On Thu, Aug 01, 2019 at 07:50:09PM +0300, Timo Aaltonen wrote: > > Hi, > > As discussed on irc, the fallback config enables 'services=nss', and > check_socket_activated_responder() bails out if there's no conffile. > > So both should be fixed to allow sssd to start without extra noise when > soc

[SSSD-users] Re: [AD] User discovery/enumeration issue due to domain settings

On Tue, Jul 30, 2019 at 06:42:06PM +0200, Christian Lamparter wrote: > Hello again, > > On Fri, 2019-07-26 at 14:08 +0200, Jakub Hrozek wrote: > > On Fri, Jul 26, 2019 at 12:50:16PM +0200, Christian Lamparter wrote: > > > I'm currently setting up sssd (Debian

[SSSD-users] Re: [AD] User discovery/enumeration issue due to domain settings

On Fri, Jul 26, 2019 at 12:50:16PM +0200, Christian Lamparter wrote: > Hello Folks, > > I'm currently setting up sssd (Debian 1.16.3) on Debian Buster 10.0 > and I ran into a problem that I was able to trace down to the domain > permission/security settings that placed the users into a special OU

[SSSD-users] Re: Max hostname len in adcli or realm join to AD?

On Fri, Jul 19, 2019 at 11:43:37AM -0500, Spike White wrote: > All, > > In previous AD integration tools, the max host name length was customarily > 15 chars. Because of ancient NETBIOS restrictions (16 char restrictions > and netbios adds a '$' to the end of host name). > > That was like an AD

[SSSD-users] Re: sssd_be core dumping when ‘realm permit’ command run under puppet control…

On Tue, Jul 16, 2019 at 12:32:29PM -0500, Spike White wrote: > The following case has been opened with RHEL support on this. It was > opened this morning: > > (SEV 4) Case #02427449 ('realm permit group@DOMAIN' causing background > process sssd_be to segfault.) Thank you, comment added. I hope a

[SSSD-users] Re: Replicate digest mapping from pam_pkcs11

rhank you; comment added. so hopefully the case would turn into a bug report. (This still does not mean the digest matching would be implemented, but it's the best way I can think of to track a missing functionality..) On Mon, Jul 15, 2019 at 08:27:08PM -, James Trater wrote: > Thank you. I h

[SSSD-users] Re: sssd_be core dumping when ‘realm permit’ command run under puppet control…

On Mon, Jul 15, 2019 at 12:50:03PM -0500, Spike White wrote: > All, > > This is a strange one. When we exec this command under puppet control: > > /usr/sbin/realm permit -R AMER.COMPANY.COM > processehcprofi...@amer.company.com > > Then sssd_be core dumps (segfault). Anytime sssd_be segfaults,

[SSSD-users] Re: Replicate digest mapping from pam_pkcs11

On Mon, Jul 15, 2019 at 02:49:19PM -, James Trater wrote: > Hello. > > Is it possible to replicate the digest mapping feature of pam_pkcs11 > in sssd? We have built our infrastructure around the notion of mapping > users to certificates based on the certificate digest. With the removal > of pa

[SSSD-users] Re: sssd sudo using Microsoft Active Directory

On Mon, Jul 01, 2019 at 09:09:24AM -, B M wrote: > Hi Jakub, > > Thx for the suggestions! > > Here more logs: > > NOTE: Replaced - or from the original name. > > /var/log/sssd/sssd_sudo.log > > (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [accept_fd_handler] (0x0400): Client > co

[SSSD-users] Re: sssd sudo using Microsoft Active Directory

On Sun, Jun 30, 2019 at 09:31:17AM -, Bruno Monteiro wrote: > Hello, > > Below my configuration and errors :) > > (I've adapted some strings for the sake of example - domain is not real) > > cat /etc/sssd/sssd.conf > [sssd] > services = nss, pam,ssh, sudo > debug_level = 0x7FFF > domains = L

[SSSD-users] Re: id / getent not finding AD users

On Thu, Jun 27, 2019 at 05:01:27PM +, Thomas Beaudry wrote: > Hi Jakub, > > So i tired > > >> Does it help to increase the dns_resolver_timeout from its default of 6 > seconds? Please see the note in man sssd-ad, there are several timeouts > that might need to be increased in unison, can you

[SSSD-users] Re: id / getent not finding AD users

; (Tue Jun 25 16:17:21 2019) [sssd[be[MYDOMAIN.ca]]] [request_watch_destructor] > (0x0400): Deleting request watch > (Tue Jun 25 16:17:21 2019) [sssd[be[MYDOMAIN.ca]]] [sdap_id_op_connect_done] > (0x0020): Failed to connect, going offline (5 [Input/output error] > > > Thanks! &

[SSSD-users] Re: id / getent not finding AD users

On Tue, Jun 25, 2019 at 07:25:45PM +, Thomas Beaudry wrote: > Hi Jakub, > > Thanks for the link so i followed the troubleshooting and I notice i can't > reach the data provider mentioned in step 4 ("If the command is reaching the > NSS responder, does it get forwarded to the Data Provider?")

[SSSD-users] Re: sssd with samba

On Wed, Jun 19, 2019 at 01:57:59PM -0300, Edouard Guigné wrote: > Dear sssd users, > > I would like to get informations about the use of sssd with samba (centos 7, > samba 4.8.3). > > I need it because I configured a samba share, accessible with sssd. > The authentication is against a windows AD.

[SSSD-users] Re: id / getent not finding AD users

On Tue, Jun 18, 2019 at 06:57:14PM +, Thomas Beaudry wrote: > Hi Guys, > > > i have 2 Ubuntu 16.04 servers that have their users run by AD. The sssd.conf > and output of "realm list" is identical for both servers. However, one of > them can't seem to find the AD users, so ssh fails. I tr

[SSSD-users] Re: Use local posix group with ad-users to allow login access

On Fri, Jun 14, 2019 at 09:22:17AM -, Mads Boye wrote: > Hi Jakub. > Thank you for the reply. I still have no success. > > Did try the AllowGroup in sshd_config but with no luck. > > So I did a bit more investigation on pam_access and think that pam_access and > pam_sss might be locking each

[SSSD-users] Re: Announcing SSSD 2.2.0 (this time with the correct release notes)

he` tests were merged * data_provider_be: got rid of went_offline usage * providers/ipa: Fixed obvious copy-paste error * providers/ipa: Changed default service search base * TESTS: ability to run unit tests under valgrind * Monitor & utils: got rid of pid filen

[SSSD-users] Announcing SSSD 2.2.0

eference from test_sysdb_certmap * tests: remove LOCAL_SYSDB_FILE reference from test_sysdb_domain_resolution_order_ * tests: remove LOCAL_SYSDB_FILE reference from test_sysdb_subdomains * tests: remove LOCAL_SYSDB_FILE reference from common_dom * local: build local provider conditionally

[SSSD-users] Re: Use local posix group with ad-users to allow login access

On Thu, Jun 13, 2019 at 11:36:53AM -, Mads Boye wrote: > Hi everyone. > So I am banging my head against the wall and need some help. > What i try to achive is having a local posix group, which contains active > directory users. > Now i would like to use this posix group to allow the users to a

[SSSD-users] Re: [alexander.fier...@mpi-dortmund.mpg.de: enumerate in sssd.conf]

On Wed, Jun 05, 2019 at 10:14:46AM +0200, Jakub Hrozek wrote: > Date: Wed, 5 Jun 2019 10:04:56 +0200 > From: Alexander Fieroch > To: sssd-users-ow...@lists.fedorahosted.org > Subject: enumerate in sssd.conf > User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101

[SSSD-users] [alexander.fier...@mpi-dortmund.mpg.de: enumerate in sssd.conf]

--- Begin Message --- Hi, I've set "enumerate = true" in sssd.conf which is working good for me and our AD clients. Now I recognized that RedHat does not recommend "enumerate = true" in sssd.conf: When I disable enumarate in sssd, "getent passwd"

[SSSD-users] Re: Dynamic domain lookup

On Fri, May 31, 2019 at 10:10:12AM -0400, Nerigal wrote: > Hi, > > Is it possible to make the domain section match the domain used by the > user to authenticate using the re_expression = > (?P[^@]+)@?(?P[^@]*$) > > So the domain section would look like > > [domain/$domain] > > ... I don't

[SSSD-users] Re: Stupid question on ldap_user_email

On Tue, May 21, 2019 at 02:43:45PM +0100, John Hearns wrote: > I have a test system which authenticates using sssd and an LDAP provider. > So far so good! > > In my LDAP object there is the field 'mail' which is my correct email > address. > I know I can get this using an ldapsearch. > However I a

[SSSD-users] Re: group memberships not updating

On Wed, May 15, 2019 at 12:33:33PM +0100, Toby Blake wrote: > Hi, > > We have noticed an issue where group memberships are not being updated > on a significant number of our machines. > > It appears that this has been reported in the following two bug reports: > > https://pagure.io/SSSD/sssd/iss

[SSSD-users] Re: authenticate linux using active directory without joined

On Sun, May 05, 2019 at 10:10:39AM +, Antonio Pena Diaz wrote: > Hi, > > > I need to connect by ssh using users centralized on AD, but linux servers > client use nslcd to retrieve the users settings and mapping attributes.. > > > I don't want to join linux servers into domain, and not use

[SSSD-users] Re: pam_sssd: reset Samba4/AD password

On Tue, May 14, 2019 at 10:04:56AM +0200, Julien TEHERY wrote: > Hi there > > > We have a samba4 AD (installed on ubuntu servers) and also ubuntu client > workstations. > Those ubuntu workstations authenticate themselves to samba4/AD server > through pam_sssd. > > Users authentication against Sa

[SSSD-users] Re: RHEL8 sssd-kcm can't accept credentials forwarded from sshd?

On Fri, May 10, 2019 at 01:20:51PM -0400, James Ralston wrote: > Now that RHEL8 is out, our site is again looking at whether it would > be feasible to change our default Kerberos credentials storage from > the kernel persistent keyring to sssd-kcm. Which version is this? Is this RHEL-8 GA or one o

[SSSD-users] Re: Local group and AD user mapping

On Sun, May 05, 2019 at 04:11:34PM -, soham chakraborty wrote: > Hi, > > I have a requirement where human users will be logging in with their AD > accounts. However, there are some applications that create local user and > group and at times, the AD users may need to work on the application,

[SSSD-users] Re: Problems with subdomains_provider & group membership

On Tue, Apr 23, 2019 at 12:03:20PM +, Ondrej Valousek wrote: > Hi List, > I just noticed that sssd is unable to detect any groups user belongs to after > I set > Subdomains_provider = none > In my sssd.conf > > Using AD provider, using token groups, not using fully qualified names. > Is this

[SSSD-users] Re: hostname resolution expired? (version 1.13.4-34.23.1.x86_64)

On Wed, Apr 17, 2019 at 06:21:18PM +, Beale (US), Gareth wrote: > We are seeing the following in our sssd_default.log which appears to coincide > with some authentication failures. What would cause the hostname resolution > to expire? Can we change the length of whatever timeout might be caus

[SSSD-users] Re: Listing sudo rules

On Wed, Apr 10, 2019 at 05:46:54PM +0200, Maupertuis Philippe wrote: > Hi, > I need to collect various information about a server. > Among them are the sudo rules in place. > Is there any way to get all the sudo rules from the server itself without > making assumption about how the sssd is configu

[SSSD-users] Re: Fedora 29 SSSD changes/SSSD Cache Path Alternative

On Mon, Mar 25, 2019 at 11:09:44AM +0100, Lukas Slebodnik wrote: > On (24/03/19 19:10), Gregory Carter wrote: > >I have a diskless workstation, which I noticed recently with some updates > >has stopped working with respect to sssd. Here is the config which no > >longer works: > > > >[domain/defaul

[SSSD-users] Announcing SSSD 1.16.4

name retrieval * lib/cifs_idmap_sss: fixed unaligned mem access * ci/sssd.supp: fixed c-ares-suppress-leak-from-init * negcache: avoid "is_*_local" calls in some cases * Monitor: changed provider startup timeout * Fabiano Fidêncio (1): * man/sss_ssh_knownh

[SSSD-users] Re: Announcing SSSD 2.1

On Thu, Feb 28, 2019 at 09:56:46AM +0100, Jakub Hrozek wrote: > == SSSD 2.1 === > > The SSSD team is proud to announce the release of version 2.1 of > the System Security Services Daemon. > > As always, the source is available from https://fedorahosted.org/sss

[SSSD-users] Announcing SSSD 2.1

common.c: fix Coverity issue * sss_client/common.c: fix off-by-one error in sizes check * sss_client/common.c: comment amended * sss_client/nss_services.c: indentation fixed * sss_client/nss_services.c: fixed incorrect mutex usage * sss_client: global unexpor

[SSSD-users] Re: How to keep the password in sync with AD?

On Thu, Feb 28, 2019 at 12:29:30AM -, Ian Puleston wrote: > "SunnyvaleSite" is correct, and adding that as ad_site is what fixed (or > worked-around) the problem. > > > what do you mean by "did not try to use that when it could not look it up > > while online" ? > > When I was online (witho

[SSSD-users] Re: ldap_id_mapping=True login linux the user UID auto change

On Wed, Feb 27, 2019 at 01:13:03AM -, CharlesLee wrote: > Hi Jakub, > Thanks for your reply. > > I was turn off ldap_id_mapping and use POSIX IDs, then the user can not use > password of AD. > The user can not verify the login linux use AD's password. But it would be nice to see some debug

[SSSD-users] Re: How to keep the password in sync with AD?

On Wed, Feb 27, 2019 at 12:59:27AM -, Ian Puleston wrote: > Hi, > > Thanks for the help. I now seem to have the problem sorted out and things are > now working OK after a configuration change: > > I did have to rejoin the domain first, and that did not go very smoothly. > Having successfull

[SSSD-users] Re: No netgroup_provider?

On Mon, Feb 18, 2019 at 06:34:54PM +0100, Lukas Slebodnik wrote: > >Also, any particular reason there’s not a netgroup_provider? > > > > Because netgroups are part of id_provider > The same as users, groups and service. (There is neither user_provider nor > group_provider ...) btw the reasoning b

[SSSD-users] Re: ldap_id_mapping=True login linux the user UID auto change

On Mon, Feb 18, 2019 at 03:27:57PM -, CharlesLee wrote: > Hi Jakub, > > Because I want to control the uid in 4 digits. I would suggest that the ID mapping is not the right tool, then and using POSIX IDs might be better. ___ sssd-users mailing list

[SSSD-users] Re: ldap_id_mapping=False then AD user's password not availabe

On Mon, Feb 18, 2019 at 03:21:55PM -, CharlesLee wrote: > Hi Jakub， > > Yes, I did rm -rf /var/lib/sss/db/* after turn off ldap_id_mapping. > In the linux AD's user can have uidNumber, but the AD user's password was > invalid in linux. Then please follow the debugging steps: https://do

[SSSD-users] Re: ldap_id_mapping=True login linux the user UID auto change

On Mon, Feb 18, 2019 at 03:36:48AM -, CharlesLee wrote: > Hi, everyone > > I have a problem with sssd 1.16.0 use in CentOS7 with AD(windows server > 2008R2). > > I'm use realm join the AD，and sssd config is next: > [domain/default] > autofs_provider = ldap > cache_credentials = True > krb5_

[SSSD-users] Re: Any way to disallow unauthorized users in the pam "authentication" phase instead of "account" phase?

On Fri, Feb 15, 2019 at 09:02:44PM -0600, Spike White wrote: > All, > > This is not a big deal -- just curious. > > We have a commercial Linux AD integration product. In it, the incoming > user's authorization to log in is validated during the PAM "authentication" > phase. So if it's a legal AD

[SSSD-users] Re: ldap_id_mapping=False then AD user's password not availabe

On Fri, Feb 15, 2019 at 09:47:46AM -, CharlesLee wrote: > Hi sumit, > > Thanks for your reply. > > I'm using windows server 2008R2 AD. > I use "ldap_id_mapping=False" because I want the AD's user in linux UID is > gidNumber, if I use "ldap_id_mapping=True" the user's uid in linux will can

[SSSD-users] Re: password not complex enough error for AD users

On Fri, Feb 08, 2019 at 04:32:35PM -, robert wild wrote: > do i have to put down this under my domain section part in > "/etc/sssd/sssd.conf" > > debug_level = 10 yes, see: https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html ___ sssd-u

[SSSD-users] Re: password not complex enough error for AD users

On Fri, Feb 08, 2019 at 02:39:18PM -, robert wild wrote: > do i need to enable logging for this? yes. ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code

[SSSD-users] Re: password not complex enough error for AD users

On Thu, Feb 07, 2019 at 11:29:48PM -, robert wild wrote: > hi all, > > i have got sssd on a centos 7 vm and i have got it working > > https://www.linuxtechi.com/integrate-rhel7-centos7-windows-active-directory/ > > as when i do > > id AD_user > > it comes up with the uid, gid and all the g

[SSSD-users] Re: How to keep the password in sync with AD?

On Tue, Feb 05, 2019 at 10:13:41PM -, Ian Puleston wrote: > Thanks for the suggestion Sumit. Your kinit command gave this output: > > kinit: Pre-authentication failed: Permission denied while getting initial > credentials > > I wasn't sure if I should run that direct from my domain user acco

[SSSD-users] Re: SSSD : id don't display groups name subdomain (Child trust)

de.d/ > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > dns_lookup_realm = false > ticket_lifetime = 24h > renew_lifetime = 7d > forwardable = true > rdns = false > de

[SSSD-users] Re: Best practice, experience with NIS => AD migrations?

On Mon, Feb 04, 2019 at 03:19:27PM -0600, Spike White wrote: > Sssd practitioners, > > (I hope this topic is not inappropriate to this target audience.) > > My company is looking at retiring NIS, in favor of AD. Altogether, there > are several thousand Linux servers (& a few UNIX servers) gettin

[SSSD-users] Re: Cannot use smart card auth on Ubuntu 18.04

On Fri, Feb 01, 2019 at 02:20:21PM -0700, Orion Poplawski wrote: > I'm not having any luck using smart card auth on an IPA joined Ubuntu 18.04 > system. It appears that pam is not properly configured, and in particular I > don't see "allow_missing_name" in use: > > /etc/pam.d/common-auth: > auth

[SSSD-users] Re: AD multiple domains - login failed for child domain

On Thu, Jan 31, 2019 at 04:27:02PM +0100, Jeremy Monnet wrote: > Hello, > > I never fixed issues I had last year > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org/thread/5XUJLUVI5JZILZKDK5DRHK7PSQNIZZBD/ > but I did made a new test on a brand new ubuntu up to date, a

[SSSD-users] Re: SSSD for keycloak intergration

On Tue, Jan 29, 2019 at 10:22:38PM +0530, sheetalmane4 wrote: > Hi, > > Is there an any possibility to use keycloak as a user management and SSSD > for linux user authentication ? It is posible to fetch user data via SSSD from whatever source SSSD can access: https://www.keycloak.org/docs/4.8

[SSSD-users] Re: Simplify ldap `memberOf` searches

On Thu, Jan 17, 2019 at 04:58:09PM -0700, Sean Roberts wrote: > Thanks. For the LDAP provider, what did you mean by matched with a > substring search? A wildcard? Yes, I tested with: ldapsearch -H ldap://server.ipa.test -b cn=accounts,dc=ipa,dc=test '(&(uid=admin)(memberof=cn=R*)) on my

[SSSD-users] Re: Simplify ldap `memberOf` searches

On Tue, Jan 15, 2019 at 07:32:34AM -0700, Sean Roberts wrote: > SSSD experts - Is it possible to simplify ldap searches like the one below > to specify the group name without it's full path: > ``` > ldap_user_search_base="DC=example,DC=internal?subtree?(|(memberOf=CN=project-users,OU=2,OU=1,DC=exam

[SSSD-users] Re: Sssd and gidNumber

On Wed, Jan 16, 2019 at 05:33:41AM -, Dmitrij S. Kryzhevich wrote: > I have setup with 3 clients and server. Server runs samba as AD and ldap + > kerberos. Clients use sss: 1) fedora with 2.0.0, 2) centos with 1.16.0 and 3) > centos with 1.16.2. All clients use 1:1 sssd.conf. I want sss to us

[SSSD-users] Re: Understanding sssd cache

On Wed, Jan 16, 2019 at 03:50:59PM +0100, Maupertuis Philippe wrote: > > > > -Message d'origine----- > > De : Jakub Hrozek [mailto:jhro...@redhat.com] > > Envoyé : mercredi 16 janvier 2019 15:24 > > À : sssd-users@lists.fedorahosted.org > > Objet :

[SSSD-users] Re: Understanding sssd cache

On Wed, Jan 16, 2019 at 01:45:35PM +0100, Maupertuis Philippe wrote: > > > > -Message d'origine- > > De : Lukas Slebodnik [mailto:lsleb...@redhat.com] > > Envoyé : mercredi 16 janvier 2019 12:47 > > À : End-user discussions about the System Security Services Daemon > > Objet : [SSSD-users

[SSSD-users] Re: Sudo in a ldap

On Mon, Jan 14, 2019 at 09:06:31AM +0100, Maupertuis Philippe wrote: > Hi, > I am new on this mailing list so please forgive me if my question has already > been answered. > I did read the archive to try find something. > > My d.conf retrieve the information from a 389ds ldap including sudo r

[SSSD-users] Re: sssd: AD service discovery and invalidating cache

On Mon, Jan 07, 2019 at 06:01:08PM +, R Davies wrote: > On Fri, 4 Jan 2019 at 10:19, Jakub Hrozek wrote: > > > Would the stickiness also persist across SRV priority levels? What I > > mean is that if server1 had originally the highest priority (the lowest > > priority

[SSSD-users] Re: sssd: AD service discovery and invalidating cache

On Fri, Jan 04, 2019 at 09:20:20AM +, R Davies wrote: > (re-sending as I initially sent to ssd-users-owners in error) > > For an AD environment using service discovery. > > Periodically sssd will invalidate its cache at unexpected times. Digging > around debug logs and sources leads me to un

[SSSD-users] Re: sssd database backup / restore (or transplant to another client)

On Thu, Jan 03, 2019 at 10:01:47AM +0200, Nikos Zaharioudakis wrote: > Good morning list, > > I have an idea, which I would like to experiment with, but experts > advise may save me lots of time. > > The scenario I have in mind is like this: > > (assume OS and vers are latest RHEL/Centos) > > I

[SSSD-users] Re: Can I have sssd manage known_hosts with LDAP?

On Mon, Dec 10, 2018 at 01:19:33PM -, George Diamantopoulos wrote: > Thanks for the reply Jakub. > > Does this mean that there is no support in 1.15 at all, or that the attribute > name is hardcoded as "fqdn" but still useable if the schema complies? There is no support at all, the sss_ssh_k

[SSSD-users] Re: Problem with resolving unqualified group names

On Fri, Nov 23, 2018 at 10:16:26AM +, Ondrej Valousek wrote: > Hi List, > > > I have noticed that in my case both > > getent passwd @ and getent passwd > > works, but > > getent group @ > > does not, only: > > getent group > > works. > > > Is that expected behavior? No (but I don't

[SSSD-users] Re: sssd AD authentication working; sssd autofs against LDAP / rfc2307bis not working...

On Wed, Dec 05, 2018 at 12:28:18PM -0600, Spike White wrote: > Sssd experts, > > This is all on RHEL7. > > I have sssd properly authenticating against AD for my multi-domain forest. > All good – even cross-domain auth (as long as I don’t use tokengroups.) > Our company’s AD implementation is RFC2

[SSSD-users] Re: filter out disabled ipa user

On Thu, Dec 06, 2018 at 10:59:04AM -, Stijn De Weirdt wrote: > hi all, > > we are using ipa as id_provider/access_provider/auth_provider for a domain, > and we want to somehow completely hide users that are disabled in ipa. for > now, disabled users are still known on the hosts (eg "getent p

[SSSD-users] Re: Can I have sssd manage known_hosts with LDAP?

On Sat, Dec 08, 2018 at 08:09:09PM +0200, George Diamantopoulos wrote: > User ssh public key retrieval works fine in my configuration. I'm using > sssd 1.15 which ships with debian stretch. I'm afraid the commit that exposed the host key lookup to the LDAP provider is only present in 1.16.1 and ne

[SSSD-users] Re: sssd with sudo and non posix groups

On Wed, Nov 14, 2018 at 09:45:23AM -0800, Leonard Lawton wrote: > On 11/14/2018 12:28 AM, Jakub Hrozek wrote: > > On Tue, Nov 13, 2018 at 05:00:56PM -0800, Leonard Lawton wrote: > > > I have a group in ldap(I'm using 389DS) called "_all" which has a > > &

[SSSD-users] Re: SSSD in AIX

On Mon, Nov 12, 2018 at 05:24:54PM +0530, Ayappan wrote: > On Mon, Nov 12, 2018 at 4:56 PM Jakub Hrozek wrote: > > > > On Mon, Nov 12, 2018 at 03:57:53PM +0530, Ayappan wrote: > > > Hi, > > > > > > I am from AIX OS development team here in IBM. We have

[SSSD-users] Re: sssd with sudo and non posix groups

On Tue, Nov 13, 2018 at 05:00:56PM -0800, Leonard Lawton wrote: > I have a group in ldap(I'm using 389DS) called "_all" which has a > groupofnames object class. Members are stored with the uniquemember > attrtibute. The users in the group are able to login fine via ssh using this > setup. However,

[SSSD-users] Re: SSSD login delay

On Mon, Nov 12, 2018 at 04:25:30PM -, Jonathan Gray wrote: > Hello, > > We need help debugging this issue. > > For some servers we're experiencing over 10 second delay logging in with IPA > user. > Since the issue isn't present everywhere we're finding it hard to debug. > > > SSSD config l

[SSSD-users] Re: SSSD in AIX

On Mon, Nov 12, 2018 at 03:57:53PM +0530, Ayappan wrote: > Hi, > > I am from AIX OS development team here in IBM. We have some customers > who are interested in running SSSD in AIX. So i basically invested > some amount of time to first build SSSD in AIX. I built the recent > version 1.16.3 after

[SSSD-users] Re: Id vs ldapsearch

On Tue, Nov 06, 2018 at 05:22:52PM -0500, Tom wrote: > Just a general question about the behaviour of sss_cache , is and ldapsearch. > > Id will return say 8 groups and for the same user ldapsearch will return 10. > > Now as long as if returns 8 apps report authentication denied because the > us

  1   2   3   4   5   6   7   8   9   10   >