Re: [Freeipa-users] Problem with Free IPA Client Ubuntu Precise (12.04) authenticating with AD account
On (08/12/16 16:10), James Harrison wrote: >Hi,From this URL: https://launchpad.net/~sssd/+archive/ubuntu/updates >i updated sssd on Trusty and I can now ssh to it using a FreeIPA user's >credentials. AD Still doesn't work. >Thanks > That just mean that 1.12.5-1~trusty1 has still some bugs which are fixed in sssd-1.13.4 (in ubuntu 16.04). You mentioned that in different mail. I would recommend to use LTS version of sssd-1.13 which is the oldest version maintaned by upstream. You might file bugs to ubuntu for fixing old version of sssd in trusty (1.11) but it will be much simpler to ask for backporting 1.13.4 into launchpad. Based on ubuntu page[1] precise(12.04) will be EOL very soon you should really consider to use newer version The ideal would be to use ubuntu 16.04. LS [1] https://www.ubuntu.com/info/release-end-of-life -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem with Free IPA Client Ubuntu Precise (12.04) authenticating with AD account
Hi,From this URL: https://launchpad.net/~sssd/+archive/ubuntu/updates i updated sssd on Trusty and I can now ssh to it using a FreeIPA user's credentials. AD Still doesn't work. Thanks From: Lukas Slebodnik To: James Harrison Cc: "freeipa-users@redhat.com" Sent: Thursday, 8 December 2016, 11:22 Subject: Re: [Freeipa-users] Problem with Free IPA Client Ubuntu Precise (12.04) authenticating with AD account On (07/12/16 18:19), James Harrison wrote: >Hi all, > >I am trying to authenticate an ubuntu Precise (12.06) fully patched system. >Its enrolled into a FreeIPA server. The following trace is the output of >syslog auth sssd/*.log and full debug (-ddd) from the sshd service. > Are you able to reproduce with ubuntu 14.04 and sssd from trusty-updates(1.11.8-0ubuntu0.3) You might also consig=der to test sssd-1.13.4 (in ubuntu 16.04) or at least 1.12.5-1~trusty1 from ppa https://launchpad.net/~sssd LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem with Free IPA Client Ubuntu Precise (12.04) authenticating with AD account
I tried to clone the git repos and I got access right errors James From: Lukas Slebodnik To: James Harrison Cc: "freeipa-users@redhat.com" Sent: Thursday, 8 December 2016, 11:22 Subject: Re: [Freeipa-users] Problem with Free IPA Client Ubuntu Precise (12.04) authenticating with AD account On (07/12/16 18:19), James Harrison wrote: >Hi all, > >I am trying to authenticate an ubuntu Precise (12.06) fully patched system. >Its enrolled into a FreeIPA server. The following trace is the output of >syslog auth sssd/*.log and full debug (-ddd) from the sshd service. > Are you able to reproduce with ubuntu 14.04 and sssd from trusty-updates(1.11.8-0ubuntu0.3) You might also consig=der to test sssd-1.13.4 (in ubuntu 16.04) or at least 1.12.5-1~trusty1 from ppa https://launchpad.net/~sssd LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem with Free IPA Client Ubuntu Precise (12.04) authenticating with AD account
James Harrison wrote: > > Hi, > I would prefer not to compile anything. It means we have to maintain the > package, rather than the distro maintainers. > > Trusty has a completely different set of errors to Precise. > > Xenial works with no problems. > > I run a script that allows the system to join the IPA domain (the same > script regardless of Ubuntu distro): > > ( $P_W is read in from stdin) > > ipa-client-install \ > --server="$IPA_SERVER" \ > --domain=dns.domain.com \ > --principal=admin \ > --password="$P_W" \ > --preserve-sssd \ > --mkhomedir \ > --no-ntp \ > -U > > > Enter (Admins) Password: > Confirm Password: > Hostname: jamestrusty.dns.domain.com > Realm: IPA.REALM.COM > DNS Domain: dns.domain.com > IPA Server: pul-lv-ipa-01.dns.domain.com > BaseDN: dc=int,dc=worldfirst,dc=com > > Synchronizing time with KDC... > Dec 8 14:50:58 jamestrusty ntpdate[2448]: ntpdate 4.2.6p5@1.2349-o Wed > Oct 5 12:35:26 UTC 2016 (1) > Dec 8 14:50:58 jamestrusty ntpdate[2448]: the NTP socket is in use, exiting > ... > ... > ... > ... > ... > Unable to sync time with IPA NTP server, assuming the time is in sync. > Please check that 123 UDP port is opened. > Successfully retrieved CA cert > Subject: CN=SOMECERT > Issuer: CN=SOMECERT > Valid From: Wed Mar 12 00:00:00 2014 UTC > Valid Until: Sun Mar 11 23:59:59 3029 UTC > > Enrolled in IPA realm IPA.REALM.COM > Created /etc/ipa/default.conf > New SSSD config will be created > Configured /etc/sssd/sssd.conf > Failed to add CA to the default NSS database. > Installation failed. Rolling back changes. > Unenrolling client from IPA server > Unenrolling host failed: Error getting default Kerberos realm: > Configuration file does not specify default realm. > > Removing Kerberos service principals from /etc/krb5.keytab > Disabling client Kerberos and LDAP configurations > Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to > /etc/sssd/sssd.conf.deleted > SSSD service could not be stopped > Client uninstall complete. The stdout is usually not very helpful, /var/log/ipaclient-install.log contains the real details. Still, were I to guess, the required NSS database (and directory) doesn't exist. This would be located in either /etc/ipa/nssdb or /etc/pki/nssdb. rob > > > -------------------------------- > *From:* Lukas Slebodnik > *To:* James Harrison > *Cc:* "freeipa-users@redhat.com" > *Sent:* Thursday, 8 December 2016, 11:22 > *Subject:* Re: [Freeipa-users] Problem with Free IPA Client Ubuntu > Precise (12.04) authenticating with AD account > > On (07/12/16 18:19), James Harrison wrote: >>Hi all, >> >>I am trying to authenticate an ubuntu Precise (12.06) fully patched > system. Its enrolled into a FreeIPA server. The following trace is the > output of syslog auth sssd/*.log and full debug (-ddd) from the sshd > service. >> > Are you able to reproduce with ubuntu 14.04 > and sssd from trusty-updates(1.11.8-0ubuntu0.3) > You might also consig=der to test sssd-1.13.4 (in ubuntu 16.04) > or at least 1.12.5-1~trusty1 from ppa > https://launchpad.net/~sssd > > > LS > > > > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem with Free IPA Client Ubuntu Precise (12.04) authenticating with AD account
Hi,An update. I just got Trusty enrolled into FreeIPA by removing everything in: /etc/pki/nssdb and running: /usr/bin/certutil -N --empty-password -d /etc/pki/nssdb ... before the client-install is run. I get user IDs with Freeipa and AD domains: root@jamestrusty:/etc/pki/nssdb# id x_james.harrison@IPA.REALM.COMuid=108269(x_james.harrison) gid=108269(x_james.harrison) groups=108269(x_james.harrison),108260(admins),1082600010(ipausers) root@jamestrusty:/etc/pki/nssdb# id x_james.harrison@AD.DOMAIN.LOCAL uid=1039812876(x_james.harrison@ad.domain.local) gid=1039812876(x_james.harrison@ad.domain.local) groups=1039812876(x_james.harrison@ad.domain.locall) However auth issues still the same as Precise. Doesnt accept the ssh public key stored with the IPA user or the Trust ID view user. Xenial has no problems. Regards,James Harrison From: James Harrison To: "freeipa-users@redhat.com" Sent: Thursday, 8 December 2016, 15:02 Subject: Re: [Freeipa-users] Problem with Free IPA Client Ubuntu Precise (12.04) authenticating with AD account Hi,I would prefer not to compile anything. It means we have to maintain the package, rather than the distro maintainers. Trusty has a completely different set of errors to Precise. Xenial works with no problems. I run a script that allows the system to join the IPA domain (the same script regardless of Ubuntu distro): ( $P_W is read in from stdin) ipa-client-install \ --server="$IPA_SERVER" \ --domain=dns.domain.com \ --principal=admin \ --password="$P_W" \ --preserve-sssd \ --mkhomedir \ --no-ntp \ -U Enter (Admins) Password: Confirm Password: Hostname: jamestrusty.dns.domain.com Realm: IPA.REALM.COM DNS Domain: dns.domain.com IPA Server: pul-lv-ipa-01.dns.domain.com BaseDN: dc=int,dc=worldfirst,dc=com Synchronizing time with KDC... Dec 8 14:50:58 jamestrusty ntpdate[2448]: ntpdate 4.2.6p5@1.2349-o Wed Oct 5 12:35:26 UTC 2016 (1) Dec 8 14:50:58 jamestrusty ntpdate[2448]: the NTP socket is in use, exiting ... ... ... ... ... Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. Successfully retrieved CA cert Subject: CN=SOMECERT Issuer: CN=SOMECERT Valid From: Wed Mar 12 00:00:00 2014 UTC Valid Until: Sun Mar 11 23:59:59 3029 UTC Enrolled in IPA realm IPA.REALM.COM Created /etc/ipa/default.conf New SSSD config will be created Configured /etc/sssd/sssd.conf Failed to add CA to the default NSS database. Installation failed. Rolling back changes. Unenrolling client from IPA server Unenrolling host failed: Error getting default Kerberos realm: Configuration file does not specify default realm. Removing Kerberos service principals from /etc/krb5.keytab Disabling client Kerberos and LDAP configurations Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted SSSD service could not be stopped Client uninstall complete. From: Lukas Slebodnik To: James Harrison Cc: "freeipa-users@redhat.com" Sent: Thursday, 8 December 2016, 11:22 Subject: Re: [Freeipa-users] Problem with Free IPA Client Ubuntu Precise (12.04) authenticating with AD account On (07/12/16 18:19), James Harrison wrote: >Hi all, > >I am trying to authenticate an ubuntu Precise (12.06) fully patched system. >Its enrolled into a FreeIPA server. The following trace is the output of >syslog auth sssd/*.log and full debug (-ddd) from the sshd service. > Are you able to reproduce with ubuntu 14.04 and sssd from trusty-updates(1.11.8-0ubuntu0.3) You might also consig=der to test sssd-1.13.4 (in ubuntu 16.04) or at least 1.12.5-1~trusty1 from ppa https://launchpad.net/~sssd LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem with Free IPA Client Ubuntu Precise (12.04) authenticating with AD account
Hi,I would prefer not to compile anything. It means we have to maintain the package, rather than the distro maintainers. Trusty has a completely different set of errors to Precise. Xenial works with no problems. I run a script that allows the system to join the IPA domain (the same script regardless of Ubuntu distro): ( $P_W is read in from stdin) ipa-client-install \ --server="$IPA_SERVER" \ --domain=dns.domain.com \ --principal=admin \ --password="$P_W" \ --preserve-sssd \ --mkhomedir \ --no-ntp \ -U Enter (Admins) Password: Confirm Password: Hostname: jamestrusty.dns.domain.com Realm: IPA.REALM.COM DNS Domain: dns.domain.com IPA Server: pul-lv-ipa-01.dns.domain.com BaseDN: dc=int,dc=worldfirst,dc=com Synchronizing time with KDC... Dec 8 14:50:58 jamestrusty ntpdate[2448]: ntpdate 4.2.6p5@1.2349-o Wed Oct 5 12:35:26 UTC 2016 (1) Dec 8 14:50:58 jamestrusty ntpdate[2448]: the NTP socket is in use, exiting ... ... ... ... ... Unable to sync time with IPA NTP server, assuming the time is in sync. Please check that 123 UDP port is opened. Successfully retrieved CA cert Subject: CN=SOMECERT Issuer: CN=SOMECERT Valid From: Wed Mar 12 00:00:00 2014 UTC Valid Until: Sun Mar 11 23:59:59 3029 UTC Enrolled in IPA realm IPA.REALM.COM Created /etc/ipa/default.conf New SSSD config will be created Configured /etc/sssd/sssd.conf Failed to add CA to the default NSS database. Installation failed. Rolling back changes. Unenrolling client from IPA server Unenrolling host failed: Error getting default Kerberos realm: Configuration file does not specify default realm. Removing Kerberos service principals from /etc/krb5.keytab Disabling client Kerberos and LDAP configurations Redundant SSSD configuration file /etc/sssd/sssd.conf was moved to /etc/sssd/sssd.conf.deleted SSSD service could not be stopped Client uninstall complete. From: Lukas Slebodnik To: James Harrison Cc: "freeipa-users@redhat.com" Sent: Thursday, 8 December 2016, 11:22 Subject: Re: [Freeipa-users] Problem with Free IPA Client Ubuntu Precise (12.04) authenticating with AD account On (07/12/16 18:19), James Harrison wrote: >Hi all, > >I am trying to authenticate an ubuntu Precise (12.06) fully patched system. >Its enrolled into a FreeIPA server. The following trace is the output of >syslog auth sssd/*.log and full debug (-ddd) from the sshd service. > Are you able to reproduce with ubuntu 14.04 and sssd from trusty-updates(1.11.8-0ubuntu0.3) You might also consig=der to test sssd-1.13.4 (in ubuntu 16.04) or at least 1.12.5-1~trusty1 from ppa https://launchpad.net/~sssd LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem with Free IPA Client Ubuntu Precise (12.04) authenticating with AD account
On (07/12/16 18:19), James Harrison wrote: >Hi all, > >I am trying to authenticate an ubuntu Precise (12.06) fully patched system. >Its enrolled into a FreeIPA server. The following trace is the output of >syslog auth sssd/*.log and full debug (-ddd) from the sshd service. > Are you able to reproduce with ubuntu 14.04 and sssd from trusty-updates(1.11.8-0ubuntu0.3) You might also consig=der to test sssd-1.13.4 (in ubuntu 16.04) or at least 1.12.5-1~trusty1 from ppa https://launchpad.net/~sssd LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Problem with Free IPA Client Ubuntu Precise (12.04) authenticating with AD account
On Wed, Dec 07, 2016 at 06:19:06PM +, James Harrison wrote: > Hi all, > > I am trying to authenticate an ubuntu Precise (12.06) fully patched system. > Its enrolled into a FreeIPA server. The following trace is the output of > syslog auth sssd/*.log and full debug (-ddd) from the sshd service. > > I am getting a PAM error at the end of the procedure. Also I cant seem to > authenticate against the public ssh key from the id override user. > > I appreciate any help you can send my way. > > Best regards, > > James Harrison > Below is more information > > > root@jamesprecise:~# kinit x_james.harrison@AD.DOMAIN.LOCAL > Password for x_james.harrison@AD.DOMAIN.LOCAL: > > root@jamesprecise:~# klist > Ticket cache: FILE:/tmp/krb5cc_0 > Default principal: x_james.harrison@AD.DOMAIN.LOCAL > > Valid starting Expires Service principal > 07/12/16 17:56:30 08/12/16 03:56:30 krbtgt/AD.DOMAIN.LOCAL@AD.DOMAIN.LOCAL > renew until 08/12/16 17:56:23 > > root@jamesprecise:~# id x_james.harrison@AD.DOMAIN.LOCAL > uid=1039812876(x_james.harrison@ad.domain.local) > gid=1039812876(x_james.harrison@ad.domain.local) > groups=1039812876(x_james.harrison@ad.domain.local) HBAC denied the login, which is probably related to the supplementary groups not being resolved. This ancient SSSD version doesn't support returning supplementary groups unless you log in -- during the login attempt, the PAC responder should be able to decode the group memberships from the PAC and store the groups. So I'd look if the PAC responder is enabled and running and see if the krb5_child resolves the SIDs during password authentication (or if PAC responder is contacted during password-less authentication). > root@pul-lv-ipa-02 ~]# ipa idoverrideuser-show External_AD_views > x_james.harrison@ad.domain.local > Anchor to override: x_james.harrison@ad.domain.local > User login: x_james.harrison > Login shell: /bin/bash > SSH public key: ssh-rsa > > B3NzaC1yc2EDAQABAAABAQDK1pj2U7H9olLs1xKmcmZVEBMWpaHjxF2LttsdfqfQxm810qMru/WsvzHqu0m5Ugu0FYsPxRLQrAEB8WPsPoh5Y0q5qYPgm5aDOZZEXfCPyuRwdQ+XLfQJ3gnGjW4r/XLEiNVpO9eKsFs0ifspNAJ1n7h40rlHlOIqV/z8Omg6XnFBh9dIfiXtpYDOxe+512RpjtHE98s+NfIpUTT7MGNLHB5o/DqFXEJPH7Pp1bKwxWNvfCb5a71vcE695dQ31QYVYwpSwFmFogewgpV/OCb+S4SUdUq1xg0fmkhYr3d4UXFr91MDimyOBWk9Aai7NkOHPszmHJp > JamesHarrison Overrides are not supported with this version. > > > Here are the software versions: > > root@jamesprecise:# dpkg -l | grep -i freeipa > ii freeipa-client 3.3.4-0ubuntu3.1~precise0.1 > FreeIPA centralized identity framework -- client > ii libipa-hbac0 1.11.5-1ubuntu3~precise1 > FreeIPA HBAC Evaluator library > ii python-freeipa 3.3.4-0ubuntu3.1~precise0.1 > FreeIPA centralized identity framework -- python modules > ii python-libipa-hbac 1.11.5-1ubuntu3~precise1 > Python bindings for the FreeIPA HBAC Evaluator library > > root@jamesprecise:# dpkg -l | grep -i openssh-server > ii openssh-server 1:5.9p1-5ubuntu1.10 > secure shell (SSH) server, for secure access from remote machines > > > root@jamesprecise:/var/log# dpkg -l | grep -i sssd > ii libsss-idmap0 1.11.5-1ubuntu3~precise1 > ID mapping library for SSSD > ii sssd 1.11.5-1ubuntu3~precise1 > System Security Services Daemon -- metapackage > ii sssd-ad 1.11.5-1ubuntu3~precise1 > System Security Services Daemon -- Active Directory back end > ii sssd-ad-common 1.11.5-1ubuntu3~precise1 > System Security Services Daemon -- PAC responder > ii sssd-common 1.11.5-1ubuntu3~precise1 > System Security Services Daemon -- common files > ii sssd-ipa 1.11.5-1ubuntu3~precise1 > System Security Services Daemon -- IPA back end > ii sssd-krb5 1.11.5-1ubuntu3~precise1 > System Security Services Daemon -- Kerberos back end > ii sssd-krb5-common 1.11.5-1ubuntu3~precise1 > System Security Services Daemon -- Kerberos helpers > ii sssd-ldap 1.11.5-1ubuntu3~precise1 > System Security Services Daemon -- LDAP back end > ii sssd-proxy 1.11.5-1ubuntu3~precise1 > System Security Services Daemon -- proxy back end > ii sudo 1.8.9p5-1ubuntu1.1~sssd1 > Provide limited super user privileges to specific users All is all, I would suggest to upgrade to something more recent.. -- Manage your subscription for the Freeipa-users mailing list: https://www.r
[Freeipa-users] Problem with Free IPA Client Ubuntu Precise (12.04) authenticating with AD account
Hi all, I am trying to authenticate an ubuntu Precise (12.06) fully patched system. Its enrolled into a FreeIPA server. The following trace is the output of syslog auth sssd/*.log and full debug (-ddd) from the sshd service. I am getting a PAM error at the end of the procedure. Also I cant seem to authenticate against the public ssh key from the id override user. I appreciate any help you can send my way. Best regards, James Harrison Below is more information root@jamesprecise:~# kinit x_james.harrison@AD.DOMAIN.LOCAL Password for x_james.harrison@AD.DOMAIN.LOCAL: root@jamesprecise:~# klist Ticket cache: FILE:/tmp/krb5cc_0 Default principal: x_james.harrison@AD.DOMAIN.LOCAL Valid starting Expires Service principal 07/12/16 17:56:30 08/12/16 03:56:30 krbtgt/AD.DOMAIN.LOCAL@AD.DOMAIN.LOCAL renew until 08/12/16 17:56:23 root@jamesprecise:~# id x_james.harrison@AD.DOMAIN.LOCAL uid=1039812876(x_james.harrison@ad.domain.local) gid=1039812876(x_james.harrison@ad.domain.local) groups=1039812876(x_james.harrison@ad.domain.local) root@pul-lv-ipa-02 ~]# ipa idoverrideuser-show External_AD_views x_james.harrison@ad.domain.local Anchor to override: x_james.harrison@ad.domain.local User login: x_james.harrison Login shell: /bin/bash SSH public key: ssh-rsa B3NzaC1yc2EDAQABAAABAQDK1pj2U7H9olLs1xKmcmZVEBMWpaHjxF2LttsdfqfQxm810qMru/WsvzHqu0m5Ugu0FYsPxRLQrAEB8WPsPoh5Y0q5qYPgm5aDOZZEXfCPyuRwdQ+XLfQJ3gnGjW4r/XLEiNVpO9eKsFs0ifspNAJ1n7h40rlHlOIqV/z8Omg6XnFBh9dIfiXtpYDOxe+512RpjtHE98s+NfIpUTT7MGNLHB5o/DqFXEJPH7Pp1bKwxWNvfCb5a71vcE695dQ31QYVYwpSwFmFogewgpV/OCb+S4SUdUq1xg0fmkhYr3d4UXFr91MDimyOBWk9Aai7NkOHPszmHJp JamesHarrison Here are the software versions: root@jamesprecise:# dpkg -l | grep -i freeipa ii freeipa-client 3.3.4-0ubuntu3.1~precise0.1 FreeIPA centralized identity framework -- client ii libipa-hbac0 1.11.5-1ubuntu3~precise1 FreeIPA HBAC Evaluator library ii python-freeipa 3.3.4-0ubuntu3.1~precise0.1 FreeIPA centralized identity framework -- python modules ii python-libipa-hbac 1.11.5-1ubuntu3~precise1 Python bindings for the FreeIPA HBAC Evaluator library root@jamesprecise:# dpkg -l | grep -i openssh-server ii openssh-server 1:5.9p1-5ubuntu1.10 secure shell (SSH) server, for secure access from remote machines root@jamesprecise:/var/log# dpkg -l | grep -i sssd ii libsss-idmap0 1.11.5-1ubuntu3~precise1 ID mapping library for SSSD ii sssd 1.11.5-1ubuntu3~precise1 System Security Services Daemon -- metapackage ii sssd-ad 1.11.5-1ubuntu3~precise1 System Security Services Daemon -- Active Directory back end ii sssd-ad-common 1.11.5-1ubuntu3~precise1 System Security Services Daemon -- PAC responder ii sssd-common 1.11.5-1ubuntu3~precise1 System Security Services Daemon -- common files ii sssd-ipa 1.11.5-1ubuntu3~precise1 System Security Services Daemon -- IPA back end ii sssd-krb5 1.11.5-1ubuntu3~precise1 System Security Services Daemon -- Kerberos back end ii sssd-krb5-common 1.11.5-1ubuntu3~precise1 System Security Services Daemon -- Kerberos helpers ii sssd-ldap 1.11.5-1ubuntu3~precise1 System Security Services Daemon -- LDAP back end ii sssd-proxy 1.11.5-1ubuntu3~precise1 System Security Services Daemon -- proxy back end ii sudo 1.8.9p5-1ubuntu1.1~sssd1 Provide limited super user privileges to specific users Ubuntu PPAs: root@jamesprecise:~# ls -l /etc/apt/sources.list.d/ total 16 -rw-r--r-- 1 root root 65 Dec 7 08:48 freeipa-ppa-precise.list -rw-r--r-- 1 root root 61 Dec 7 08:48 ppa_freeipa_ppa_precise.list -rw-r--r-- 1 root root 62 Dec 7 08:48 ppa_sssd_updates_precise.list -rw-r--r-- 1 root root 66 Dec 7 08:48 sssd-updates-precise.list cat /etc/pam.d/common-session session [default=1] pam_permit.so session requisite pam_deny.so session required pam_permit.so session optional pam_umask.so session required pam_mkhomedir.so umask=0022 skel=/etc/skel session required pam_unix.so session optional pam_sss.so session [success=ok default=ignore] pam_ldap.so minimum_uid=1000 root@jamesprecise:~# root@jamesprecise:~# cat /etc/pam.d/common-auth auth [success=3 default=ignore] pam_unix.so nullok_secure auth [success=2 default=i