for errors. A message like 'Got request for...' in the logs
is when the request hits the backend and the message below is when the
response from the backend is sent back to the client(PAM)
[be_pam_handler_callback] (0x0100): Backend returned: (0, 4,
) [Success]
Kind regards,
Justin Stephenson
login with your user with a password?
Sorry, I have not seen the error 'KDC policy rejects request' before.
Please also check /etc/krb5.conf matches between working and non-working
systems.
Kind regards,
Justin Stephenson
*Sonia Gilbert, -Engineer II, Information Protection & Compli
n,dc=local].
(Mon Jan 30 14:24:41 2017) [sssd[be[jstephen.local]]]
[sdap_get_initgr_user] (0x4000): Found matching dn
[CN=sssduser,CN=Users,DC=jstephen,DC=local].
Kind regards,
Justin Stephenson
On 01/28/2017 04:57 AM, Jakub Hrozek wrote:
On Fri, Jan 27, 2017 at 11:28:30PM -, sonia.
Could you provide updated sssd_ and krb5_child logs from the
reproduced login failure after making that change?
It would be great if you can remove any existing logs first.
Kind regards,
Justin Stephenson
On 01/27/2017 03:30 PM, sonia.gilb...@hawaiianair.com wrote:
Thank you Justin
the sssd_concordia.ca.log for text such as
'mark_offline'? Once found, the messages above this point in the logs
should indicate why SSSD was set into an offline state.
Kind regards,
Justin Stephenson
On 01/26/2017 12:21 PM, Thomas Beaudry wrote:
Hi Everyone,
I am running into a problem with usernames
on in /etc/openldap/ldap.conf
- rdns=false in /etc/krb5.conf
Then try testing again to see if that helps. If it the same issue, you
may need to use tcpdump and look at a packet capture to determine what
is causing the SASL bind to fail.
Kind regards,
Justin Stephenson
On 01/26/2017 04:35 PM
not need another domain
section in sssd.conf:
> [domain/a.abc.com]
> ad_server = sdc01.a.abc.com,sdc02.a.abc.com,_srv_
These lines were likely ignored by SSSD because you only had specified
the single domain for the 'domains' option:
> domains = abc.com
Kind regards,
Justin
SSSD chooses to use is retrieved from
the LDAP connection therefore you may also need to lower the option
ldap_connection_expire_timeout(see man-ldap for details) which defaults
to 15 minutes.
Debug logs could be useful to analyze here also.
Kind regards,
Justin Stephenson
On 02/10/2017 10:09
On 09/27/2016 06:47 PM, Richard Collins wrote:
Hi thanks for responding
The monitor_quit_signal function should only be called when the SSSD
monitor process receives SIGINT or SIGTERM. It looks like you already
have debug_level = 9 in the monitor section of sssd.conf, I would hope
to see
On 10/19/2016 10:19 AM, aleksey.maksi...@it-kb.ru wrote:
Hello SSSD guru`s!
I want to set up Active Directory domain authorization in my CentOS 7.2 servers
with SSSD.
For this I use SSSD as described here:
:
[sssd]
timeout = 60
[nss]
timeout = 60
[pam]
timeout = 60
[sudo]
timeout = 60
[domain/MYDOMAIN]
timeout = 60
Kind regards,
Justin Stephenson
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le
hat is
taking the longest time.
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org/thread/MQML6NVLRFFGUHZSUF55KOBYEPH74KT5/
Kind regards,
Justin Stephenson
___
sssd-users mailing list -- sssd-users@lis
.
Kind regards,
Justin Stephenson
Also, if this is due to a timeout, is there any setting to control that?
Thanks,
~ Abhi
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le
the join.
Also, you can add the --user-principal argument to the adcli join
command which will allow you to get a TGT with the
host/our.hostname@REALM principal
Kind regards,
Justin Stephenson
On 04/25/2017 03:26 PM, Tom wrote:
Wondering if there are any more suggestions on this topic
On 06/15/2017 04:57 AM, Rishat Teregulov wrote:
Yes, I set krb5.conf to this to try not to resolve dns queries.
[libdefaults]
default_realm = AD.DOMAIN.EXAMPLE
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
krb4_config = /etc/krb.conf
krb4_realms = /etc/krb.realms
On 03/05/2018 08:25 AM, Roger Martensson wrote:
Sorry about that.. Bleeping send-button-shortcut.
Let me continue.
Command I use to test: ssh userid@subdomain2@localhost
The krb5_child.log contains these error messages:
[[sssd[krb5_child[5720 [get_and_save_tgt] (0x0400): Attempting kinit
You can read more about this in the following BZ, but this should not
prevent a user from acquiring new credentials.
https://bugzilla.redhat.com/show_bug.cgi?id=1669607
If you are hitting a KCM quota, a failure message will be logged stating
the affected quota in the sssd_kcm.log file. I suspect
Hi,
Are you looking for the following options? Refer to man sssd-ipa(5)
ipa_hbac_refresh (integer)
The amount of time between lookups of the HBAC rules
against the IPA server. This will reduce the latency and load on the
IPA server if there are many access-control requests made
Are you looking for the `dyndns_iface` option? It should be mentioned
in the `sssd-ipa`, or `sssd-ad` man page. I'm not aware of any article
specifically about working with multiple NICs.
-Justin
On Sun, Mar 21, 2021 at 7:35 PM Personne wrote:
>
> Hello,
>
> I'm currently using an older version
Hi,
You are right, the question is why does a second ldap child get forked
- the /var/log/sssd/domain_$domain.log should give some clues. As a
guess you may need to set `ad_enabled_domains = domain.bu.edu' in
sssd.conf to disable auto discovery of trusted domains. If this
doesn't help please send
On Tue, Oct 19, 2021 at 6:04 AM THomas HUMMEL wrote:
>
> Hello,
>
> any hints ?
> Also, why is the default entry_cache_timeout so high (1.5 hour if I
> understand correctly) ?
Many people use SSSD for its caching purpose, in environments with a
high volume of clients it can help a lot to avoid
On Fri, Mar 18, 2022 at 5:10 AM Alexey Tikhonov wrote:
>
> On Thu, Mar 17, 2022 at 12:27 AM James Ralston wrote:
> >
> > On Wed, Mar 16, 2022 at 6:04 AM Alexey Tikhonov wrote:
> >
> > > How would you use SSSD without any domain configured?
> >
> > I have a host on which I kinit against
Hi,
It sounds like a problem occurs when SSSD executes 'adcli update' to
renew the machine account password, if successful the AD DC computer
object password is updated and the new keys are written to the keytab.
If a failure occurs however it may have caused these two things to go
out of sync.
You should see 'tlog-rec-session' returned as the shell with (may need
to expire/clear sssd cache first):
$ getent passwd -s sss myuser
Also, in recent fedora versions you would need to run:
$ authselect select sssd with-files-domain
-Justin
On Fri, Jul 15, 2022 at 11:30 AM Alexey Tikhonov
Hi,
Please file a bug for this, as you mention the primary ccache should
not be switched to an existing expired ccache when a new TGT is
retrieved.
A feature request[1] is open for KCM to support pruning expired
tickets, but it has not yet been implemented. Currently only the
KEYRING ccache type
25 matches
Mail list logo
