date:20181009

[SSSD-users] Re: sssd fails to start when I enable [ifp]

2018-10-09 Thread Pavel Březina


On 10/9/18 11:06 AM, Ondrej Valousek wrote:

Ok I know what is going on.
Sssd-dbus package is necessary accessory for the InfoPipe. So if you need 
InfoPipe, you need to install sssd-dbus (not installed by default).
Fine, but nobody told me that once you install this package, you are also 
expected to restart dbus service.
I guess this needs a bit polishing...


It installs a dbus policy configuration file that is required by dbus. 
D-Bus should be watching the directory for changes though. Please, file 
an sssd ticket for this and we will investigate further.


I think this is a nice task for Tomas (CC)



Ondrej

-Original Message-
From: Ondrej Valousek [mailto:ondrej.valou...@s3group.com]
Sent: Tuesday, October 09, 2018 10:56 AM
To: End-user discussions about the System Security Services Daemon 

Subject: [SSSD-users] Re: sssd fails to start when I enable [ifp]

The same error I receive when I try to start the ifp service manually:
# /usr/libexec/sssd/sssd_ifp --uid 0 --gid 0 --dbus-activated --logger=stderr 
...
(Tue Oct  9 09:53:40 2018) [sssd[ifp]] [parse_attr_list_ex] (0x2000): Added allowed attr sn to whitelist (Tue Oct  9 
09:53:40 2018) [sssd[ifp]] [parse_attr_list_ex] (0x2000): Added default attr name to whitelist (Tue Oct  9 09:53:40 
2018) [sssd[ifp]] [parse_attr_list_ex] (0x2000): Added default attr uidNumber to whitelist (Tue Oct  9 09:53:40 2018) 
[sssd[ifp]] [parse_attr_list_ex] (0x2000): Added default attr gidNumber to whitelist (Tue Oct  9 09:53:40 2018) 
[sssd[ifp]] [parse_attr_list_ex] (0x2000): Added default attr gecos to whitelist (Tue Oct  9 09:53:40 2018) [sssd[ifp]] 
[parse_attr_list_ex] (0x2000): Added default attr homeDirectory to whitelist (Tue Oct  9 09:53:40 2018) [sssd[ifp]] 
[parse_attr_list_ex] (0x2000): Added default attr loginShell to whitelist (Tue Oct  9 09:53:40 2018) [sssd[ifp]] 
[parse_attr_list_ex] (0x2000): Added default attr groups to whitelist (Tue Oct  9 09:53:40 2018) [sssd[ifp]] 
[parse_attr_list_ex] (0x2000): Added default attr domain to whitelist (Tue Oct  9 09:53:40 2018) [sssd[ifp]] 
[parse_attr_list_ex] (0x2000): Added default attr domainname to whitelist (Tue Oct  9 09:53:40 2018) [sssd[ifp]] 
[sysbus_init] (0x0020): Unable to request name on the system bus: [Connection ":1.33561" is not allowed to 
own the service "org.freedesktop.sssd.infopipe" due to security policies in the configuration file] (Tue Oct  
9 09:53:40 2018) [sssd[ifp]] [sysbus_init] (0x0040): DBus error message: Connection ":1.33561" is not allowed 
to own the service "org.freedesktop.sssd.infopipe" due to security policies in the configuration file (Tue 
Oct  9 09:53:40 2018) [sssd[ifp]] [ifp_process_init] (0x0020): Failed to connect to the system message bus (Tue Oct  9 
09:53:40 2018) [sssd[ifp]] [sss_responder_ctx_destructor] (0x0400): Responder is being shut down


-Original Message-
From: Jakub Hrozek [mailto:jhro...@redhat.com]
Sent: Tuesday, October 09, 2018 10:29 AM
To: End-user discussions about the System Security Services Daemon 

Cc: Pavel Březina 
Subject: [SSSD-users] Re: sssd fails to start when I enable [ifp]

Interesting..Pavel, do you have some idea?


On 9 Oct 2018, at 10:27, Ondrej Valousek  wrote:

Ok, obviously this error message does not appear when using SystemD, therefore 
I try to start it as root interactively, i.e.
# /usr/sbin/sssd -i

-Original Message-
From: Ondrej Valousek [mailto:ondrej.valou...@s3group.com]
Sent: Tuesday, October 09, 2018 10:25 AM
To: End-user discussions about the System Security Services Daemon

Subject: [SSSD-users] Re: sssd fails to start when I enable [ifp]

Hi,
As root, i.e. "systemctl start sssd"
Ondrej

-Original Message-
From: Jakub Hrozek [mailto:jhro...@redhat.com]
Sent: Tuesday, October 09, 2018 10:24 AM
To: End-user discussions about the System Security Services Daemon

Subject: [SSSD-users] Re: sssd fails to start when I enable [ifp]

Do you run sssd as root or the unprivileged sssd user?


On 8 Oct 2018, at 15:29, Ondrej Valousek  wrote:

Hi List,
Seems like sssd fails to start when I enable infopipe (i.e. add “ifp” to the 
services list).
Log says:
(Mon Oct  8 14:18:08 2018) [sssd[ifp]] [sysbus_init] (0x0020): Unable
to request name on the system bus: [Connection ":1.33273" is not
allowed to own the service "org.freedesktop.sssd.infopipe" due to
security policies in the configuration file] (Mon Oct  8 14:18:08
2018) [sssd[ifp]] [sysbus_init] (0x0040): DBus error message:
Connection ":1.33273" is not allowed to own the service
"org.freedesktop.sssd.infopipe" due to security policies in the
configuration file (Mon Oct  8 14:18:08 2018) [sssd[ifp]]
[ifp_process_init] (0x0020): Failed to connect to the system message
bus

This is Centos-7, all updates applied, i.e. dbus-1.10.24,
sssd-1.16.0-19.el7

Thanks,
Ondrej
-

The information contained in this e-mail and in any attachments is confidential 
and is designated solely for the attention of the intended recipient(s). If you 
are not an i

[SSSD-users] Re: Active Domain Controller server lists (part of SSSD-AD)?

2018-10-09 Thread Conwell, Nik

Thanks Spike.  I hadn't thought about the load-balanced pool for apps that are 
not site-aware.  That's a good idea.  Take care.  -nik

From: Spike White 
Reply-To: End-user discussions about the System Security Services Daemon 

Date: Monday, October 8, 2018 at 10:13 AM
To: End-user discussions about the System Security Services Daemon 

Subject: [SSSD-users] Re: Active Domain Controller server lists (part of 
SSSD-AD)?

I am a big fan of

 dns_lookup_realm = true

in /etc/krb5.conf.  Of course, our AD administrators maintain good SRV records 
for the various AD controllers -- so there's that.

also they maintain a load-balanced pool per location for those apps that are 
not site-aware.  Worst case, I could set my kdc = that.

That LB pool will always been right, as they slip in and out AD controllers.

Spike

On Fri, Oct 5, 2018 at 6:04 AM Conwell, Nik mailto:n...@bu.edu>> 
wrote:
Hi all, just curious what do you all do for Active Directory domain controllers 
in the krb5.conf?  Seems like "realm join" by default populates the krb5.conf 
with the hostnames of all the AD KDCs discovered for the domain.  All good 
until we decided we are going to rename the KDCs to all new names.  Windows 
boxes don't care, apparently they will automatically rediscover based on the 
"_srv_" record queries.  But from an SSSD-AD and krb5.conf perspective we may 
end up having to "realm leave" "realm join" the linux boxes to pick up the new 
DCs or possibly edit the krb5.conf to change the discovered servers to be just 
"_srv_" so it will be dynamically queried.

What are you all doing for SSSD-AD and the list of AD Domain Controllers?  Do 
you manage the krb5.conf list directly, or do you just always change the list 
to be "_srv_"?

Thanks.
-nik

Nik Conwell |  Manager, Systems Engineering
Boston University Information Services & Technology

___
sssd-users mailing list -- 
sssd-users@lists.fedorahosted.org
To unsubscribe send an email to 
sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org

[SSSD-users] Re: sssd fails to start when I enable [ifp]

2018-10-09 Thread Ondrej Valousek

Ok I know what is going on.
Sssd-dbus package is necessary accessory for the InfoPipe. So if you need 
InfoPipe, you need to install sssd-dbus (not installed by default).
Fine, but nobody told me that once you install this package, you are also 
expected to restart dbus service.
I guess this needs a bit polishing...

Ondrej

-Original Message-
From: Ondrej Valousek [mailto:ondrej.valou...@s3group.com] 
Sent: Tuesday, October 09, 2018 10:56 AM
To: End-user discussions about the System Security Services Daemon 

Subject: [SSSD-users] Re: sssd fails to start when I enable [ifp]

The same error I receive when I try to start the ifp service manually:
# /usr/libexec/sssd/sssd_ifp --uid 0 --gid 0 --dbus-activated --logger=stderr 
...
(Tue Oct  9 09:53:40 2018) [sssd[ifp]] [parse_attr_list_ex] (0x2000): Added 
allowed attr sn to whitelist (Tue Oct  9 09:53:40 2018) [sssd[ifp]] 
[parse_attr_list_ex] (0x2000): Added default attr name to whitelist (Tue Oct  9 
09:53:40 2018) [sssd[ifp]] [parse_attr_list_ex] (0x2000): Added default attr 
uidNumber to whitelist (Tue Oct  9 09:53:40 2018) [sssd[ifp]] 
[parse_attr_list_ex] (0x2000): Added default attr gidNumber to whitelist (Tue 
Oct  9 09:53:40 2018) [sssd[ifp]] [parse_attr_list_ex] (0x2000): Added default 
attr gecos to whitelist (Tue Oct  9 09:53:40 2018) [sssd[ifp]] 
[parse_attr_list_ex] (0x2000): Added default attr homeDirectory to whitelist 
(Tue Oct  9 09:53:40 2018) [sssd[ifp]] [parse_attr_list_ex] (0x2000): Added 
default attr loginShell to whitelist (Tue Oct  9 09:53:40 2018) [sssd[ifp]] 
[parse_attr_list_ex] (0x2000): Added default attr groups to whitelist (Tue Oct  
9 09:53:40 2018) [sssd[ifp]] [parse_attr_list_ex] (0x2000): Added default attr 
domain to whitelist (Tue Oct  9 09:53:40 2018) [sssd[ifp]] [parse_attr_list_ex] 
(0x2000): Added default attr domainname to whitelist (Tue Oct  9 09:53:40 2018) 
[sssd[ifp]] [sysbus_init] (0x0020): Unable to request name on the system bus: 
[Connection ":1.33561" is not allowed to own the service 
"org.freedesktop.sssd.infopipe" due to security policies in the configuration 
file] (Tue Oct  9 09:53:40 2018) [sssd[ifp]] [sysbus_init] (0x0040): DBus error 
message: Connection ":1.33561" is not allowed to own the service 
"org.freedesktop.sssd.infopipe" due to security policies in the configuration 
file (Tue Oct  9 09:53:40 2018) [sssd[ifp]] [ifp_process_init] (0x0020): Failed 
to connect to the system message bus (Tue Oct  9 09:53:40 2018) [sssd[ifp]] 
[sss_responder_ctx_destructor] (0x0400): Responder is being shut down

-Original Message-
From: Jakub Hrozek [mailto:jhro...@redhat.com]
Sent: Tuesday, October 09, 2018 10:29 AM
To: End-user discussions about the System Security Services Daemon 

Cc: Pavel Březina 
Subject: [SSSD-users] Re: sssd fails to start when I enable [ifp]

Interesting..Pavel, do you have some idea?

> On 9 Oct 2018, at 10:27, Ondrej Valousek  wrote:
> 
> Ok, obviously this error message does not appear when using SystemD, 
> therefore I try to start it as root interactively, i.e.
> # /usr/sbin/sssd -i
> 
> -Original Message-
> From: Ondrej Valousek [mailto:ondrej.valou...@s3group.com]
> Sent: Tuesday, October 09, 2018 10:25 AM
> To: End-user discussions about the System Security Services Daemon 
> 
> Subject: [SSSD-users] Re: sssd fails to start when I enable [ifp]
> 
> Hi,
> As root, i.e. "systemctl start sssd"
> Ondrej
> 
> -Original Message-
> From: Jakub Hrozek [mailto:jhro...@redhat.com]
> Sent: Tuesday, October 09, 2018 10:24 AM
> To: End-user discussions about the System Security Services Daemon 
> 
> Subject: [SSSD-users] Re: sssd fails to start when I enable [ifp]
> 
> Do you run sssd as root or the unprivileged sssd user?
> 
>> On 8 Oct 2018, at 15:29, Ondrej Valousek  wrote:
>> 
>> Hi List,
>> Seems like sssd fails to start when I enable infopipe (i.e. add “ifp” to the 
>> services list).
>> Log says:
>> (Mon Oct  8 14:18:08 2018) [sssd[ifp]] [sysbus_init] (0x0020): Unable 
>> to request name on the system bus: [Connection ":1.33273" is not 
>> allowed to own the service "org.freedesktop.sssd.infopipe" due to 
>> security policies in the configuration file] (Mon Oct  8 14:18:08
>> 2018) [sssd[ifp]] [sysbus_init] (0x0040): DBus error message: 
>> Connection ":1.33273" is not allowed to own the service 
>> "org.freedesktop.sssd.infopipe" due to security policies in the 
>> configuration file (Mon Oct  8 14:18:08 2018) [sssd[ifp]] 
>> [ifp_process_init] (0x0020): Failed to connect to the system message 
>> bus
>> 
>> This is Centos-7, all updates applied, i.e. dbus-1.10.24,
>> sssd-1.16.0-19.el7
>> 
>> Thanks,
>> Ondrej
>> -
>> 
>> The information contained in this e-mail and in any attachments is 
>> confidential and is designated solely for the attention of the intended 
>> recipient(s). If you are not an intended recipient, you must not use, 
>> disclose, copy, distribute or retain this e-mail or any part thereof. If you 
>> have received this e-mail

[SSSD-users] Re: sssd fails to start when I enable [ifp]

2018-10-09 Thread Ondrej Valousek

The same error I receive when I try to start the ifp service manually:
# /usr/libexec/sssd/sssd_ifp --uid 0 --gid 0 --dbus-activated --logger=stderr
...
(Tue Oct  9 09:53:40 2018) [sssd[ifp]] [parse_attr_list_ex] (0x2000): Added 
allowed attr sn to whitelist
(Tue Oct  9 09:53:40 2018) [sssd[ifp]] [parse_attr_list_ex] (0x2000): Added 
default attr name to whitelist
(Tue Oct  9 09:53:40 2018) [sssd[ifp]] [parse_attr_list_ex] (0x2000): Added 
default attr uidNumber to whitelist
(Tue Oct  9 09:53:40 2018) [sssd[ifp]] [parse_attr_list_ex] (0x2000): Added 
default attr gidNumber to whitelist
(Tue Oct  9 09:53:40 2018) [sssd[ifp]] [parse_attr_list_ex] (0x2000): Added 
default attr gecos to whitelist
(Tue Oct  9 09:53:40 2018) [sssd[ifp]] [parse_attr_list_ex] (0x2000): Added 
default attr homeDirectory to whitelist
(Tue Oct  9 09:53:40 2018) [sssd[ifp]] [parse_attr_list_ex] (0x2000): Added 
default attr loginShell to whitelist
(Tue Oct  9 09:53:40 2018) [sssd[ifp]] [parse_attr_list_ex] (0x2000): Added 
default attr groups to whitelist
(Tue Oct  9 09:53:40 2018) [sssd[ifp]] [parse_attr_list_ex] (0x2000): Added 
default attr domain to whitelist
(Tue Oct  9 09:53:40 2018) [sssd[ifp]] [parse_attr_list_ex] (0x2000): Added 
default attr domainname to whitelist
(Tue Oct  9 09:53:40 2018) [sssd[ifp]] [sysbus_init] (0x0020): Unable to 
request name on the system bus: [Connection ":1.33561" is not allowed to own 
the service "org.freedesktop.sssd.infopipe" due to security policies in the 
configuration file]
(Tue Oct  9 09:53:40 2018) [sssd[ifp]] [sysbus_init] (0x0040): DBus error 
message: Connection ":1.33561" is not allowed to own the service 
"org.freedesktop.sssd.infopipe" due to security policies in the configuration 
file
(Tue Oct  9 09:53:40 2018) [sssd[ifp]] [ifp_process_init] (0x0020): Failed to 
connect to the system message bus
(Tue Oct  9 09:53:40 2018) [sssd[ifp]] [sss_responder_ctx_destructor] (0x0400): 
Responder is being shut down

-Original Message-
From: Jakub Hrozek [mailto:jhro...@redhat.com] 
Sent: Tuesday, October 09, 2018 10:29 AM
To: End-user discussions about the System Security Services Daemon 

Cc: Pavel Březina 
Subject: [SSSD-users] Re: sssd fails to start when I enable [ifp]

Interesting..Pavel, do you have some idea?

> On 9 Oct 2018, at 10:27, Ondrej Valousek  wrote:
> 
> Ok, obviously this error message does not appear when using SystemD, 
> therefore I try to start it as root interactively, i.e.
> # /usr/sbin/sssd -i
> 
> -Original Message-
> From: Ondrej Valousek [mailto:ondrej.valou...@s3group.com]
> Sent: Tuesday, October 09, 2018 10:25 AM
> To: End-user discussions about the System Security Services Daemon 
> 
> Subject: [SSSD-users] Re: sssd fails to start when I enable [ifp]
> 
> Hi,
> As root, i.e. "systemctl start sssd"
> Ondrej
> 
> -Original Message-
> From: Jakub Hrozek [mailto:jhro...@redhat.com]
> Sent: Tuesday, October 09, 2018 10:24 AM
> To: End-user discussions about the System Security Services Daemon 
> 
> Subject: [SSSD-users] Re: sssd fails to start when I enable [ifp]
> 
> Do you run sssd as root or the unprivileged sssd user?
> 
>> On 8 Oct 2018, at 15:29, Ondrej Valousek  wrote:
>> 
>> Hi List,
>> Seems like sssd fails to start when I enable infopipe (i.e. add “ifp” to the 
>> services list).
>> Log says:
>> (Mon Oct  8 14:18:08 2018) [sssd[ifp]] [sysbus_init] (0x0020): Unable 
>> to request name on the system bus: [Connection ":1.33273" is not 
>> allowed to own the service "org.freedesktop.sssd.infopipe" due to 
>> security policies in the configuration file] (Mon Oct  8 14:18:08
>> 2018) [sssd[ifp]] [sysbus_init] (0x0040): DBus error message: 
>> Connection ":1.33273" is not allowed to own the service 
>> "org.freedesktop.sssd.infopipe" due to security policies in the 
>> configuration file (Mon Oct  8 14:18:08 2018) [sssd[ifp]] 
>> [ifp_process_init] (0x0020): Failed to connect to the system message 
>> bus
>> 
>> This is Centos-7, all updates applied, i.e. dbus-1.10.24,
>> sssd-1.16.0-19.el7
>> 
>> Thanks,
>> Ondrej
>> -
>> 
>> The information contained in this e-mail and in any attachments is 
>> confidential and is designated solely for the attention of the intended 
>> recipient(s). If you are not an intended recipient, you must not use, 
>> disclose, copy, distribute or retain this e-mail or any part thereof. If you 
>> have received this e-mail in error, please notify the sender by return 
>> e-mail and delete all copies of this e-mail from your computer system(s). 
>> Please direct any additional queries to: 
>> communicati...@s3group.com. Thank You. Silicon and Software Systems Limited 
>> (S3 Group). Registered in Ireland no. 378073. Registered Office: South 
>> County Business Park, Leopardstown, Dublin 18.
>> ___
>> sssd-users mailing list -- sssd-users@lists.fedorahosted.org To 
>> unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
>> Fedora Code of Conduct: htt

[SSSD-users] Re: realm re-join....

2018-10-09 Thread John Hearns

Spike,   the machine will always have an account in the AD Realm.
So no, you do not have to leave and re-join. What DOES time out is the password.
sssd should renew the password periodcially (*) when it is running. As
you say you have had > 30 days of downtime

You can use the msktutil  to reset a password
https://fuhm.net/software/msktutil/manpage.html#PASSWORD EXPIRY

(*) you can change this periddicity in sssd - and can turn it down to
a very shirt time, for debugging.
One of the parameters is also 'how soon after startup should I look at
the age of the password









On Mon, 8 Oct 2018 at 15:16, Spike White  wrote:
>
> All,
>
> I had a VM down for a great number of days.  Apparently, it was not 30 days.  
> Because even though it initially didn't correct do AD authentication, I fixed 
> one misconfiguration in /etc/krb5.conf, restarted SSSD and it did.
>
> But that raises a bigger question.  If it's been >30 days and my machine 
> account is no longer valid, how do I rejoin the domain?
>
> Is it:
>realm leave (no flags)
>readlm join (with all my usual flags that I use on the initial realm join)
>
> Spike
> ___
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org

[SSSD-users] Re: sssd fails to start when I enable [ifp]

2018-10-09 Thread Jakub Hrozek

Interesting..Pavel, do you have some idea?

> On 9 Oct 2018, at 10:27, Ondrej Valousek  wrote:
> 
> Ok, obviously this error message does not appear when using SystemD, 
> therefore I try to start it as root interactively, i.e.
> # /usr/sbin/sssd -i
> 
> -Original Message-
> From: Ondrej Valousek [mailto:ondrej.valou...@s3group.com] 
> Sent: Tuesday, October 09, 2018 10:25 AM
> To: End-user discussions about the System Security Services Daemon 
> 
> Subject: [SSSD-users] Re: sssd fails to start when I enable [ifp]
> 
> Hi,
> As root, i.e. "systemctl start sssd"
> Ondrej
> 
> -Original Message-
> From: Jakub Hrozek [mailto:jhro...@redhat.com]
> Sent: Tuesday, October 09, 2018 10:24 AM
> To: End-user discussions about the System Security Services Daemon 
> 
> Subject: [SSSD-users] Re: sssd fails to start when I enable [ifp]
> 
> Do you run sssd as root or the unprivileged sssd user?
> 
>> On 8 Oct 2018, at 15:29, Ondrej Valousek  wrote:
>> 
>> Hi List,
>> Seems like sssd fails to start when I enable infopipe (i.e. add “ifp” to the 
>> services list).
>> Log says:
>> (Mon Oct  8 14:18:08 2018) [sssd[ifp]] [sysbus_init] (0x0020): Unable 
>> to request name on the system bus: [Connection ":1.33273" is not 
>> allowed to own the service "org.freedesktop.sssd.infopipe" due to 
>> security policies in the configuration file] (Mon Oct  8 14:18:08
>> 2018) [sssd[ifp]] [sysbus_init] (0x0040): DBus error message: 
>> Connection ":1.33273" is not allowed to own the service 
>> "org.freedesktop.sssd.infopipe" due to security policies in the 
>> configuration file (Mon Oct  8 14:18:08 2018) [sssd[ifp]] 
>> [ifp_process_init] (0x0020): Failed to connect to the system message 
>> bus
>> 
>> This is Centos-7, all updates applied, i.e. dbus-1.10.24,
>> sssd-1.16.0-19.el7
>> 
>> Thanks,
>> Ondrej
>> -
>> 
>> The information contained in this e-mail and in any attachments is 
>> confidential and is designated solely for the attention of the intended 
>> recipient(s). If you are not an intended recipient, you must not use, 
>> disclose, copy, distribute or retain this e-mail or any part thereof. If you 
>> have received this e-mail in error, please notify the sender by return 
>> e-mail and delete all copies of this e-mail from your computer system(s). 
>> Please direct any additional queries to: 
>> communicati...@s3group.com. Thank You. Silicon and Software Systems Limited 
>> (S3 Group). Registered in Ireland no. 378073. Registered Office: South 
>> County Business Park, Leopardstown, Dublin 18.
>> ___
>> sssd-users mailing list -- sssd-users@lists.fedorahosted.org To 
>> unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
>> List Guidelines: 
>> https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives: 
>> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedoraho
>> sted.org
> ___
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe 
> send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
> 
> -
> 
> The information contained in this e-mail and in any attachments is 
> confidential and is designated solely for the attention of the intended 
> recipient(s). If you are not an intended recipient, you must not use, 
> disclose, copy, distribute or retain this e-mail or any part thereof. If you 
> have received this e-mail in error, please notify the sender by return e-mail 
> and delete all copies of this e-mail from your computer system(s). Please 
> direct any additional queries to: communicati...@s3group.com. Thank You. 
> Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 
> 378073. Registered Office: South County Business Park, Leopardstown, Dublin 
> 18.
> ___
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe 
> send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
> 
> -
> 
> The information contained in this e-mail and in any attachments is 
> confidential and is designated solely for the attention of the intended 
> recipient(s). If you are not an intended recipient, you must not use, 
> disclose, copy, distribute or retain this e-mail or any part thereof. If you 
> have received this e-mail in error, please notify the sender by return e-mail 
> and delete all copies of this e-mail from your c

[SSSD-users] Re: realm re-join....

2018-10-09 Thread Jakub Hrozek

> On 8 Oct 2018, at 16:16, Spike White  wrote:
> 
> All,
> 
> I had a VM down for a great number of days.  Apparently, it was not 30 days.  
> Because even though it initially didn't correct do AD authentication, I fixed 
> one misconfiguration in /etc/krb5.conf, restarted SSSD and it did.
> 
> But that raises a bigger question.  If it's been >30 days and my machine 
> account is no longer valid, how do I rejoin the domain?
> 
> Is it:
>realm leave (no flags)
>readlm join (with all my usual flags that I use on the initial realm join)
> 

Wouldn’t it be safer to just use adcli update? Looking at the man page, it 
appears you can also kinit as another user (since your machine credentials are 
probably gone now) and point adcli there with —login-ccache

I don’t know realmd into too many details, but I wonder if realm leave && realm 
join would rewrite any config changes you do.
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org

[SSSD-users] Re: sssd fails to start when I enable [ifp]

2018-10-09 Thread Ondrej Valousek

Ok, obviously this error message does not appear when using SystemD, therefore 
I try to start it as root interactively, i.e.
# /usr/sbin/sssd -i

-Original Message-
From: Ondrej Valousek [mailto:ondrej.valou...@s3group.com] 
Sent: Tuesday, October 09, 2018 10:25 AM
To: End-user discussions about the System Security Services Daemon 

Subject: [SSSD-users] Re: sssd fails to start when I enable [ifp]

Hi,
As root, i.e. "systemctl start sssd"
Ondrej

-Original Message-
From: Jakub Hrozek [mailto:jhro...@redhat.com]
Sent: Tuesday, October 09, 2018 10:24 AM
To: End-user discussions about the System Security Services Daemon 

Subject: [SSSD-users] Re: sssd fails to start when I enable [ifp]

Do you run sssd as root or the unprivileged sssd user?

> On 8 Oct 2018, at 15:29, Ondrej Valousek  wrote:
> 
> Hi List,
> Seems like sssd fails to start when I enable infopipe (i.e. add “ifp” to the 
> services list).
> Log says:
> (Mon Oct  8 14:18:08 2018) [sssd[ifp]] [sysbus_init] (0x0020): Unable 
> to request name on the system bus: [Connection ":1.33273" is not 
> allowed to own the service "org.freedesktop.sssd.infopipe" due to 
> security policies in the configuration file] (Mon Oct  8 14:18:08
> 2018) [sssd[ifp]] [sysbus_init] (0x0040): DBus error message: 
> Connection ":1.33273" is not allowed to own the service 
> "org.freedesktop.sssd.infopipe" due to security policies in the 
> configuration file (Mon Oct  8 14:18:08 2018) [sssd[ifp]] 
> [ifp_process_init] (0x0020): Failed to connect to the system message 
> bus
>  
> This is Centos-7, all updates applied, i.e. dbus-1.10.24,
> sssd-1.16.0-19.el7
>  
> Thanks,
> Ondrej
> -
> 
> The information contained in this e-mail and in any attachments is 
> confidential and is designated solely for the attention of the intended 
> recipient(s). If you are not an intended recipient, you must not use, 
> disclose, copy, distribute or retain this e-mail or any part thereof. If you 
> have received this e-mail in error, please notify the sender by return e-mail 
> and delete all copies of this e-mail from your computer system(s). Please 
> direct any additional queries to: 
> communicati...@s3group.com. Thank You. Silicon and Software Systems Limited 
> (S3 Group). Registered in Ireland no. 378073. Registered Office: South County 
> Business Park, Leopardstown, Dublin 18.
> ___
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org To 
> unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: 
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedoraho
> sted.org
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe 
send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org

-

The information contained in this e-mail and in any attachments is confidential 
and is designated solely for the attention of the intended recipient(s). If you 
are not an intended recipient, you must not use, disclose, copy, distribute or 
retain this e-mail or any part thereof. If you have received this e-mail in 
error, please notify the sender by return e-mail and delete all copies of this 
e-mail from your computer system(s). Please direct any additional queries to: 
communicati...@s3group.com. Thank You. Silicon and Software Systems Limited (S3 
Group). Registered in Ireland no. 378073. Registered Office: South County 
Business Park, Leopardstown, Dublin 18.
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe 
send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org

-

The information contained in this e-mail and in any attachments is confidential 
and is designated solely for the attention of the intended recipient(s). If you 
are not an intended recipient, you must not use, disclose, copy, distribute or 
retain this e-mail or any part thereof. If you have received this e-mail in 
error, please notify the sender by return e-mail and delete all copies of this 
e-mail from your computer system(s). Please direct any additional queries to: 
communicati...@s3group.com. Thank You. Silicon and Software Systems Limited (S3 
Group). Registered in Ireland no. 378073. Registered Office: South County 
Business Park, Leopardstown, Dublin 18.
___

[SSSD-users] Re: sssd fails to start when I enable [ifp]

2018-10-09 Thread Ondrej Valousek

Hi,
As root, i.e. "systemctl start sssd"
Ondrej

-Original Message-
From: Jakub Hrozek [mailto:jhro...@redhat.com] 
Sent: Tuesday, October 09, 2018 10:24 AM
To: End-user discussions about the System Security Services Daemon 

Subject: [SSSD-users] Re: sssd fails to start when I enable [ifp]

Do you run sssd as root or the unprivileged sssd user?

> On 8 Oct 2018, at 15:29, Ondrej Valousek  wrote:
> 
> Hi List,
> Seems like sssd fails to start when I enable infopipe (i.e. add “ifp” to the 
> services list).
> Log says:
> (Mon Oct  8 14:18:08 2018) [sssd[ifp]] [sysbus_init] (0x0020): Unable 
> to request name on the system bus: [Connection ":1.33273" is not 
> allowed to own the service "org.freedesktop.sssd.infopipe" due to 
> security policies in the configuration file] (Mon Oct  8 14:18:08 
> 2018) [sssd[ifp]] [sysbus_init] (0x0040): DBus error message: 
> Connection ":1.33273" is not allowed to own the service 
> "org.freedesktop.sssd.infopipe" due to security policies in the 
> configuration file (Mon Oct  8 14:18:08 2018) [sssd[ifp]] 
> [ifp_process_init] (0x0020): Failed to connect to the system message 
> bus
>  
> This is Centos-7, all updates applied, i.e. dbus-1.10.24, 
> sssd-1.16.0-19.el7
>  
> Thanks,
> Ondrej
> -
> 
> The information contained in this e-mail and in any attachments is 
> confidential and is designated solely for the attention of the intended 
> recipient(s). If you are not an intended recipient, you must not use, 
> disclose, copy, distribute or retain this e-mail or any part thereof. If you 
> have received this e-mail in error, please notify the sender by return e-mail 
> and delete all copies of this e-mail from your computer system(s). Please 
> direct any additional queries to: 
> communicati...@s3group.com. Thank You. Silicon and Software Systems Limited 
> (S3 Group). Registered in Ireland no. 378073. Registered Office: South County 
> Business Park, Leopardstown, Dublin 18.
> ___
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org To 
> unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: 
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedoraho
> sted.org
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe 
send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org

-

The information contained in this e-mail and in any attachments is confidential 
and is designated solely for the attention of the intended recipient(s). If you 
are not an intended recipient, you must not use, disclose, copy, distribute or 
retain this e-mail or any part thereof. If you have received this e-mail in 
error, please notify the sender by return e-mail and delete all copies of this 
e-mail from your computer system(s). Please direct any additional queries to: 
communicati...@s3group.com. Thank You. Silicon and Software Systems Limited (S3 
Group). Registered in Ireland no. 378073. Registered Office: South County 
Business Park, Leopardstown, Dublin 18.
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org

[SSSD-users] Re: sssd fails to start when I enable [ifp]

2018-10-09 Thread Jakub Hrozek

Do you run sssd as root or the unprivileged sssd user?

> On 8 Oct 2018, at 15:29, Ondrej Valousek  wrote:
> 
> Hi List,
> Seems like sssd fails to start when I enable infopipe (i.e. add “ifp” to the 
> services list).
> Log says:
> (Mon Oct  8 14:18:08 2018) [sssd[ifp]] [sysbus_init] (0x0020): Unable to 
> request name on the system bus: [Connection ":1.33273" is not allowed to own 
> the service "org.freedesktop.sssd.infopipe" due to security policies in the 
> configuration file]
> (Mon Oct  8 14:18:08 2018) [sssd[ifp]] [sysbus_init] (0x0040): DBus error 
> message: Connection ":1.33273" is not allowed to own the service 
> "org.freedesktop.sssd.infopipe" due to security policies in the configuration 
> file
> (Mon Oct  8 14:18:08 2018) [sssd[ifp]] [ifp_process_init] (0x0020): Failed to 
> connect to the system message bus
>  
> This is Centos-7, all updates applied, i.e. dbus-1.10.24, sssd-1.16.0-19.el7
>  
> Thanks,
> Ondrej
> -
> 
> The information contained in this e-mail and in any attachments is 
> confidential and is designated solely for the attention of the intended 
> recipient(s). If you are not an intended recipient, you must not use, 
> disclose, copy, distribute or retain this e-mail or any part thereof. If you 
> have received this e-mail in error, please notify the sender by return e-mail 
> and delete all copies of this e-mail from your computer system(s). Please 
> direct any additional queries to: 
> communicati...@s3group.com. Thank You. Silicon and Software Systems Limited 
> (S3 Group). Registered in Ireland no. 378073. Registered Office: South County 
> Business Park, Leopardstown, Dublin 18.
> ___
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org

[SSSD-users] Re: sssd fails to start when I enable [ifp]

[SSSD-users] Re: Active Domain Controller server lists (part of SSSD-AD)?

[SSSD-users] Re: sssd fails to start when I enable [ifp]

[SSSD-users] Re: sssd fails to start when I enable [ifp]

[SSSD-users] Re: realm re-join....

[SSSD-users] Re: sssd fails to start when I enable [ifp]

[SSSD-users] Re: realm re-join....

[SSSD-users] Re: sssd fails to start when I enable [ifp]

[SSSD-users] Re: sssd fails to start when I enable [ifp]

[SSSD-users] Re: sssd fails to start when I enable [ifp]

10 matches

Site Navigation

Mail list logo

Footer information