from:"JOHE \(John Hearns\)"

[SSSD-users] Re: problems with sssd-1.9

2018-07-19 Thread JOHE (John Hearns)

[domain\xxx.pvt]


Is the backslash valid here? I am sure an expert will say yes..


You are well aware that RHEL 5 is out  of support lifetime?

I would imagine that you have some critical applications which run on these 
machines though.





From: Laack, Andrea P 
Sent: 18 July 2018 21:13:47
To: sssd-users@lists.fedorahosted.org
Subject: [SSSD-users] problems with sssd-1.9


I have been tasked with joining a number of redhat/centos 5 servers to a 
domain.  I found sssd-1.9 that would allow id_provider ad.  This is Centos 5.11.



Here is what I got:



[root@testcentos5 db]# /usr/sbin/sssd -i -d9

(Wed Jul 18 13:18:49:136142 2018) [sssd] [ldb] (0x0400): server_sort:Unable to 
register control with rootdse!

(Wed Jul 18 13:18:49:137532 2018) [sssd] [ldb] (0x4000): start ldb transaction 
(nesting: 0)

(Wed Jul 18 13:18:49:137857 2018) [sssd] [ldb] (0x4000): start ldb transaction 
(nesting: 1)

(Wed Jul 18 13:18:49:137962 2018) [sssd] [ldb] (0x4000): commit ldb transaction 
(nesting: 1)

(Wed Jul 18 13:18:49:138029 2018) [sssd] [ldb] (0x4000): start ldb transaction 
(nesting: 1)

(Wed Jul 18 13:18:49:138161 2018) [sssd] [ldb] (0x4000): commit ldb transaction 
(nesting: 1)

(Wed Jul 18 13:18:49:138226 2018) [sssd] [ldb] (0x4000): start ldb transaction 
(nesting: 1)

(Wed Jul 18 13:18:49:138343 2018) [sssd] [ldb] (0x4000): commit ldb transaction 
(nesting: 1)

(Wed Jul 18 13:18:49:138404 2018) [sssd] [ldb] (0x4000): start ldb transaction 
(nesting: 1)

(Wed Jul 18 13:18:49:138502 2018) [sssd] [ldb] (0x4000): commit ldb transaction 
(nesting: 1)

(Wed Jul 18 13:18:49:138660 2018) [sssd] [confdb_create_ldif] (0x0400): 
Processing config section [sssd]

(Wed Jul 18 13:18:49:138784 2018) [sssd] [confdb_create_ldif] (0x0400): 
Processing attribute [config_file_version]

(Wed Jul 18 13:18:49:138870 2018) [sssd] [confdb_create_ldif] (0x4000): 
config_file_version: 2

(Wed Jul 18 13:18:49:138945 2018) [sssd] [confdb_create_ldif] (0x0400): 
Processing attribute [domains]

(Wed Jul 18 13:18:49:139034 2018) [sssd] [confdb_create_ldif] (0x4000): 
domains: xxx.pvt

(Wed Jul 18 13:18:49:139130 2018) [sssd] [confdb_create_ldif] (0x0400): 
Processing attribute [services]

(Wed Jul 18 13:18:49:139214 2018) [sssd] [confdb_create_ldif] (0x4000): 
services: nss, pam

(Wed Jul 18 13:18:49:139295 2018) [sssd] [confdb_create_ldif] (0x0400): 
Processing attribute [debug_level]

(Wed Jul 18 13:18:49:139374 2018) [sssd] [confdb_create_ldif] (0x4000): 
debug_level: 9

(Wed Jul 18 13:18:49:139539 2018) [sssd] [confdb_create_ldif] (0x4000): Section 
dn

dn: cn=sssd,cn=config

cn: sssd

config_file_version: 2

domains: xxx.pvt

services: nss, pam

debug_level: 9



(Wed Jul 18 13:18:49:139873 2018) [sssd] [confdb_create_ldif] (0x0400): 
Processing config section [nss]

(Wed Jul 18 13:18:49:139972 2018) [sssd] [confdb_create_ldif] (0x0400): 
Processing attribute [debug_level]

(Wed Jul 18 13:18:49:140046 2018) [sssd] [confdb_create_ldif] (0x4000): 
debug_level: 9

(Wed Jul 18 13:18:49:140113 2018) [sssd] [confdb_create_ldif] (0x4000): Section 
dn

dn: cn=nss,cn=config

cn: nss

debug_level: 9



(Wed Jul 18 13:18:49:140193 2018) [sssd] [confdb_create_ldif] (0x0400): 
Processing config section [domain\xxx.pvt]

(Wed Jul 18 13:18:49:140280 2018) [sssd] [confdb_create_ldif] (0x0400): 
Processing attribute [fallback_homedir]

(Wed Jul 18 13:18:49:140372 2018) [sssd] [confdb_create_ldif] (0x4000): 
fallback_homedir: /home/%u

(Wed Jul 18 13:18:49:140372 2018) [sssd] [confdb_create_ldif] (0x0400): 
Processing attribute [default_shell]

(Wed Jul 18 13:18:49:140372 2018) [sssd] [confdb_create_ldif] (0x4000): 
default_shell: /bin/bash

(Wed Jul 18 13:18:49:140372 2018) [sssd] [confdb_create_ldif] (0x0400): 
Processing attribute [ad_domain]

(Wed Jul 18 13:18:49:140377 2018) [sssd] [confdb_create_ldif] (0x4000): 
ad_domain: xxx.pvt

(Wed Jul 18 13:18:49:140453 2018) [sssd] [confdb_create_ldif] (0x0400): 
Processing attribute [krb5_realm]

(Wed Jul 18 13:18:49:140536 2018) [sssd] [confdb_create_ldif] (0x4000): 
krb5_realm: xxx.PVT

(Wed Jul 18 13:18:49:140613 2018) [sssd] [confdb_create_ldif] (0x0400): 
Processing attribute [krb5_server]

(Wed Jul 18 13:18:49:140690 2018) [sssd] [confdb_create_ldif] (0x4000): 
krb5_server: c02.xxx.pvt

(Wed Jul 18 13:18:49:140765 2018) [sssd] [confdb_create_ldif] (0x0400): 
Processing attribute [auth_provider]

(Wed Jul 18 13:18:49:140842 2018) [sssd] [confdb_create_ldif] (0x4000): 
auth_provider: krb5

(Wed Jul 18 13:18:49:141316 2018) [sssd] [confdb_create_ldif] (0x0400): 
Processing attribute [cache_credentials]

(Wed Jul 18 13:18:49:141640 2018) [sssd] [confdb_create_ldif] (0x4000): 
cache_credentials: True

(Wed Jul 18 13:18:49:141839 2018) [sssd] [confdb_create_ldif] (0x0400): 
Processing attribute [id_provider]

(Wed Jul 18 13:18:49:141945 2018) [sssd] [confdb_create_ldif] (0x4000): 
id_provider: ad

(Wed Jul 18 13:18:49:142023 2018) [sssd] [confdb_create_ldif] (0x0400): 
P

[SSSD-users] Re: one user can't be looked up

2018-07-03 Thread JOHE (John Hearns)

Peter,

are you running the name serive cacheing daemon, nscd ?


From: Sumit Bose 
Sent: 04 July 2018 08:44:49
To: sssd-users@lists.fedorahosted.org
Subject: [SSSD-users] Re: one user can't be looked up

On Thu, Jun 28, 2018 at 07:46:29PM -0700, Peter Moody wrote:
> are there any logs I can provide to help anyone figure out why this is
> happening? I've (re-)confirmed that this behavior is present in 1.16.1

Can you send your sssd.conf for a start.

bye,
Sumit

> On Mon, Jun 18, 2018 at 9:04 PM Peter Moody  wrote:
> >
> > (apologies if this gets sent twice, there was apparently an issue with
> > my subscription to the sssd-users list)
> >
> > this is admittedly low priority since this is all just a test network
> > at this point, but we're looking to deploy sssd at work so I'd like to
> > make sure all the kinks I know about are well understood/fixed
> >
> > I have an openldap install with the following users (pmoody, peter)
> > with uidNumbers (1001, 1002) respectively.
> >
> > sssd works for both users from freebsd 11.2 prelease (sssd-1.11.7_11,
> > whew, that's old).
> >
> > sssd works for pmoody from debian stretch (1.15.0-3). it does *not*
> > work for the user peter.
> >
> > this is what happens for the user peter.
> >
> > pmoody@deb:~$ sudo sss_cache -E
> > pmoody@deb:~$ getent passwd pmoody
> > pmoody:*:1001:500:Peter Moody:/home/pmoody:/bin/bash
> > pmoody@deb:~$ getent passwd peter
> > pmoody:*:1001:500:Peter Moody:/home/pmoody:/bin/bash
> > pmoody@deb:~$
> >
> > I've tried version 1.16.1-1, same results.
> >
> > These are the ldap entries for the aforementioned users:
> >
> > # peter, people, x.com
> > dn: uid=peter,ou=people,dc=x,dc=com
> > cn: peter
> > givenName: peter
> > sn: moody
> > uid: peter
> > uidNumber: 1002
> > homeDirectory: /home/peter
> > objectClass: top
> > objectClass: posixAccount
> > objectClass: shadowAccount
> > objectClass: inetOrgPerson
> > objectClass: organizationalPerson
> > gidNumber: 500
> > loginShell: /usr/local/bin/fish
> >
> > # pmoody, people, x.com
> > dn: uid=pmoody,ou=people,dc=x,dc=com
> > cn: Peter Moody
> > givenName: Peter
> > sn: Moody
> > uid: pmoody
> > uidNumber: 1001
> > homeDirectory: /home/pmoody
> > objectClass: top
> > objectClass: posixAccount
> > objectClass: shadowAccount
> > objectClass: inetOrgPerson
> > objectClass: organizationalPerson
> > loginShell: /usr/local/bin/fish
> > gidNumber: 500
> >
> > on the debian box that exhibits this error, I see the following in the logs:
> >
> > (Mon Jun 18 20:39:44 2018) [sssd[be[x.com]]] [ldb] (0x4000): cancel
> > ldb transaction (nesting: 2)
> > (Mon Jun 18 20:39:44 2018) [sssd[be[x.com]]]
> > [sysdb_set_cache_entry_attr] (0x0080): ldb_modify failed: [No such
> > object](32)[ldb_wait from ldb_modify with LDB_WAIT_ALL: No such object
> > (32)]
> > (Mon Jun 18 20:39:44 2018) [sssd[be[x.com]]]
> > [sysdb_set_cache_entry_attr] (0x0400): No such entry
> > (Mon Jun 18 20:39:44 2018) [sssd[be[x.com]]] [sysdb_set_entry_attr]
> > (0x0080): Cannot set attrs for
> > name=pe...@x.com,cn=users,cn=x.com,cn=sysdb, 2 [No such file or
> > directory]
> > (Mon Jun 18 20:39:44 2018) [sssd[be[x.com]]] [sysdb_store_user]
> > (0x0040): Cache update failed: 2
> > (Mon Jun 18 20:39:44 2018) [sssd[be[x.com]]] [ldb] (0x4000): cancel
> > ldb transaction (nesting: 1)
> > (Mon Jun 18 20:39:44 2018) [sssd[be[x.com]]] [sysdb_store_user]
> > (0x0400): Error: 2 (No such file or directory)
> > (Mon Jun 18 20:39:44 2018) [sssd[be[x.com]]] [sdap_save_user]
> > (0x0020): Failed to save user [pe...@x.com]
> > (Mon Jun 18 20:39:44 2018) [sssd[be[x.com]]] [sdap_save_users]
> > (0x0040): Failed to store user 0. Ignoring.
> >
> > it kind of looks like what was reported here :
> > https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedorahosted.org%2Farchives%2Flist%2Fsssd-users%40lists.fedorahosted.org%2Fthread%2FP6F7D5BOFYOWOCUXZTUQK26RQYPD5U24%2F%3Fsort%3Ddate&data=01%7C01%7Cjohe%40novozymes.com%7Cd689e6eff1704daa9c3a08d5e179ad4f%7C43d5f49ee03a4d22a2285684196bb001%7C0&sdata=pbQ%2FiXL0eEb99wuI7g1WZKcLtJmVDKcQyuPOIXqIk5c%3D&reserved=0
> >
> > but I don't see a resolution to that report.
> >
> > any suggestions on what I can do to fix this? logs/configs I can
> > provide to help isolate the problem?
> >
> > Cheers,
> > peter
> ___
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgetfedora.org%2Fcode-of-conduct.html&data=01%7C01%7Cjohe%40novozymes.com%7Cd689e6eff1704daa9c3a08d5e179ad4f%7C43d5f49ee03a4d22a2285684196bb001%7C0&sdata=poOvagU%2BW5FyPDcWjKLqBOESU6%2FFuJRgF%2BlxC161HJg%3D&reserved=0
> List Guidelines: 
> https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproject.org%2Fwiki%2FMailing_list_guidelines&data=01%7C01%7Cjohe%40novozymes.com%7C

[SSSD-users] Re: sss_override user-export is empty

2018-06-25 Thread JOHE (John Hearns)

Have you used the -n option ?


sss_overriide user-add mwvande -n mwvande -u 4311 -g4311


I also added a group option there, you might need it.


From: vad...@gmail.com 
Sent: 24 June 2018 05:04:21
To: End-user discussions about the System Security Services Daemon
Subject: [SSSD-users] sss_override user-export is empty

I made a change in UID for a user with sss_override but user-export to a file 
does not export anything. I am using sssd version 1.15.2. Is this a bug or may 
be I am doing something wrong? I followed the steps from this 
https://jhrozek.wordpress.com/2016/02/15/sssd-local-overrides/

I ran these as root
# sssd --version
1.15.2
# sss_override user-add mwvande -u 4311
# systemctl restart sssd
# sss_override user-export foo
# cat foo
(no output)

I also tried it without the restart

# sss_override user-add mwvande -u 4311
# sss_override user-export foo
# cat foo
(no output)


--
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer: 
pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/ZVMZKXFBMIXFQO2VXL37TAJLRV6LGA6I/

[SSSD-users] Re: Files provider - does not start properly ?

2018-06-12 Thread JOHE (John Hearns)

Thanks for looking Jakub. I think the wonders of Office 365 have blocked 
sending attachments from this address.

Way to go for getting help .. not.



From: Jakub Hrozek 
Sent: 12 June 2018 16:08:41
To: End-user discussions about the System Security Services Daemon
Subject: [SSSD-users] Re: Files provider - does not start properly ?

I’m sorry, but I don’t see any attachment..

> On 12 Jun 2018, at 11:15, JOHE (John Hearns)  wrote:
>
> Thankyou. Logs are attached.
>
>
> From: Jakub Hrozek 
> Sent: 12 June 2018 10:28:39
> To: End-user discussions about the System Security Services Daemon
> Subject: [SSSD-users] Re: Files provider - does not start properly ?
>
> Yes, just please make sure they don’t contain some confidential data (host 
> names etc..)
>
> > On 12 Jun 2018, at 10:09, JOHE (John Hearns)  wrote:
> >
> > Hi Jakub. I have the logs available. What is the best way to upload?
> > I guess just attach them here as a reply!
> > From: Jakub Hrozek 
> > Sent: 11 June 2018 20:30:59
> > To: End-user discussions about the System Security Services Daemon
> > Subject: [SSSD-users] Re: Files provider - does not start properly ?
> >
> >
> >
> > > On 11 Jun 2018, at 16:01, JOHE (John Hearns)  wrote:
> > >
> > > I am trying out the files providerwith sssd version 16.1 on Ubuntu Xenial.
> > >
> > > In the configuration file I set enable_files_domain = True
> > >
> > > sssd_implicit_files.log then says :
> > > [sssd[be[implicit_files]]] [id_callback] (0x0010): The Monitor returned 
> > > an error [org.freedesktop.DBus.Error.NoReply]
> >
> > Can you set the full set of logs, from both the domain log file and the 
> > sssd.log file? There was one user who reported issues with the files 
> > provider on fedora but we could never pin the issue down.
> >
> > >
> > > Any ideas please?
> > >
> > > Also rather confusingly /etc/nsswitch.conf still has to be set with:  
> > >   passwd  files sss
> >
> > Fedora switched the default to “sss files” in F-26. I wouldn’t recommend 
> > just “sss” because sssd doesn’t handle root by design (if sssd is 
> > misbehaving you really want to be able to log in as root to fix things..)
> >
> > > The simpl eminded amongst us (me) thought that from the description of 
> > > the sssd files provider, the passwd and group file would be read at 
> > > startup, therefore all you would need is sss in the nsswitch.conf
> > > Clearly there is a huge hole of comprehension. Between my ears.
> > >
> > >
> > >
> > >
> > >
> > > ___
> > > sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> > > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> > > Fedora Code of Conduct: 
> > > https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgetfedora.org%2Fcode-of-conduct.html&data=01%7C01%7Cjohe%40novozymes.com%7Cdccd8e054da24e7a72ac08d5cfc9829f%7C43d5f49ee03a4d22a2285684196bb001%7C0&sdata=3sXxHlG6d%2F0qcJBmGBvuLABxprGJJbTqXeOLaT5HubM%3D&reserved=0
> > > List Guidelines: 
> > > https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproject.org%2Fwiki%2FMailing_list_guidelines&data=01%7C01%7Cjohe%40novozymes.com%7Cdccd8e054da24e7a72ac08d5cfc9829f%7C43d5f49ee03a4d22a2285684196bb001%7C0&sdata=IORN3ztfDoKQx%2BSnGODR2Pm54UZNe6m1Y%2FcwI1w64iU%3D&reserved=0
> > > List Archives: 
> > > https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedoraproject.org%2Farchives%2Flist%2Fsssd-users%40lists.fedorahosted.org%2Fmessage%2FZ45SFIFRWFRVXUBWV2OMMITLC4ODR6W4%2F&data=01%7C01%7Cjohe%40novozymes.com%7Cdccd8e054da24e7a72ac08d5cfc9829f%7C43d5f49ee03a4d22a2285684196bb001%7C0&sdata=SZU9mFU7b8cEv%2BjhHz4RRQyqCsoHWUIrWiY0DYImnLc%3D&reserved=0
> > ___
> > sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> > Fedora Code of Conduct: 
> > https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgetfedora.org%2Fcode-of-conduct.html&data=01%7C01%7Cjohe%40novozymes.com%7Cdccd8e054da24e7a72ac08d5cfc9829f%7C43d5f49ee03a4d22a2285684196bb001%7C0&sdata=3sXxHlG6d%2F0qcJBmGBvuLABxprGJJbTqXeOLaT5HubM%3D&reserved=0
> > List Guidelines: 
> > https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproject.org%2Fwiki%2FMailing_list_guidelines&data=01%7C01%7Cjohe%40novozymes

[SSSD-users] Re: Files provider - does not start properly ?

2018-06-12 Thread JOHE (John Hearns)

Thankyou. Logs are attached.




From: Jakub Hrozek 
Sent: 12 June 2018 10:28:39
To: End-user discussions about the System Security Services Daemon
Subject: [SSSD-users] Re: Files provider - does not start properly ?

Yes, just please make sure they don’t contain some confidential data (host 
names etc..)

> On 12 Jun 2018, at 10:09, JOHE (John Hearns)  wrote:
>
> Hi Jakub. I have the logs available. What is the best way to upload?
> I guess just attach them here as a reply!
> From: Jakub Hrozek 
> Sent: 11 June 2018 20:30:59
> To: End-user discussions about the System Security Services Daemon
> Subject: [SSSD-users] Re: Files provider - does not start properly ?
>
>
>
> > On 11 Jun 2018, at 16:01, JOHE (John Hearns)  wrote:
> >
> > I am trying out the files providerwith sssd version 16.1 on Ubuntu Xenial.
> >
> > In the configuration file I set enable_files_domain = True
> >
> > sssd_implicit_files.log then says :
> > [sssd[be[implicit_files]]] [id_callback] (0x0010): The Monitor returned an 
> > error [org.freedesktop.DBus.Error.NoReply]
>
> Can you set the full set of logs, from both the domain log file and the 
> sssd.log file? There was one user who reported issues with the files provider 
> on fedora but we could never pin the issue down.
>
> >
> > Any ideas please?
> >
> > Also rather confusingly /etc/nsswitch.conf still has to be set with:
> > passwd  files sss
>
> Fedora switched the default to “sss files” in F-26. I wouldn’t recommend just 
> “sss” because sssd doesn’t handle root by design (if sssd is misbehaving you 
> really want to be able to log in as root to fix things..)
>
> > The simpl eminded amongst us (me) thought that from the description of the 
> > sssd files provider, the passwd and group file would be read at startup, 
> > therefore all you would need is sss in the nsswitch.conf
> > Clearly there is a huge hole of comprehension. Between my ears.
> >
> >
> >
> >
> >
> > ___
> > sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> > Fedora Code of Conduct: 
> > https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgetfedora.org%2Fcode-of-conduct.html&data=01%7C01%7Cjohe%40novozymes.com%7Cdccd8e054da24e7a72ac08d5cfc9829f%7C43d5f49ee03a4d22a2285684196bb001%7C0&sdata=3sXxHlG6d%2F0qcJBmGBvuLABxprGJJbTqXeOLaT5HubM%3D&reserved=0
> > List Guidelines: 
> > https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproject.org%2Fwiki%2FMailing_list_guidelines&data=01%7C01%7Cjohe%40novozymes.com%7Cdccd8e054da24e7a72ac08d5cfc9829f%7C43d5f49ee03a4d22a2285684196bb001%7C0&sdata=IORN3ztfDoKQx%2BSnGODR2Pm54UZNe6m1Y%2FcwI1w64iU%3D&reserved=0
> > List Archives: 
> > https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedoraproject.org%2Farchives%2Flist%2Fsssd-users%40lists.fedorahosted.org%2Fmessage%2FZ45SFIFRWFRVXUBWV2OMMITLC4ODR6W4%2F&data=01%7C01%7Cjohe%40novozymes.com%7Cdccd8e054da24e7a72ac08d5cfc9829f%7C43d5f49ee03a4d22a2285684196bb001%7C0&sdata=SZU9mFU7b8cEv%2BjhHz4RRQyqCsoHWUIrWiY0DYImnLc%3D&reserved=0
> ___
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgetfedora.org%2Fcode-of-conduct.html&data=01%7C01%7Cjohe%40novozymes.com%7Cdccd8e054da24e7a72ac08d5cfc9829f%7C43d5f49ee03a4d22a2285684196bb001%7C0&sdata=3sXxHlG6d%2F0qcJBmGBvuLABxprGJJbTqXeOLaT5HubM%3D&reserved=0
> List Guidelines: 
> https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproject.org%2Fwiki%2FMailing_list_guidelines&data=01%7C01%7Cjohe%40novozymes.com%7Cdccd8e054da24e7a72ac08d5cfc9829f%7C43d5f49ee03a4d22a2285684196bb001%7C0&sdata=IORN3ztfDoKQx%2BSnGODR2Pm54UZNe6m1Y%2FcwI1w64iU%3D&reserved=0
> List Archives: 
> https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedoraproject.org%2Farchives%2Flist%2Fsssd-users%40lists.fedorahosted.org%2Fmessage%2FNG2XM5WHSK2EP3K5TLOLWYKHJF7IY6QV%2F&data=01%7C01%7Cjohe%40novozymes.com%7Cdccd8e054da24e7a72ac08d5cfc9829f%7C43d5f49ee03a4d22a2285684196bb001%7C0&sdata=0tyEaVEA9vz0aKN9LnJ%2FEX%2BZCkvieob%2BQVA%2BmXLWEvg%3D&reserved=0
> ___
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:

[SSSD-users] Re: Files provider - does not start properly ?

2018-06-12 Thread JOHE (John Hearns)

Hi Jakub. I have the logs available. What is the best way to upload?

I guess just attach them here as a reply!


From: Jakub Hrozek 
Sent: 11 June 2018 20:30:59
To: End-user discussions about the System Security Services Daemon
Subject: [SSSD-users] Re: Files provider - does not start properly ?



> On 11 Jun 2018, at 16:01, JOHE (John Hearns)  wrote:
>
> I am trying out the files providerwith sssd version 16.1 on Ubuntu Xenial.
>
> In the configuration file I set enable_files_domain = True
>
> sssd_implicit_files.log then says :
> [sssd[be[implicit_files]]] [id_callback] (0x0010): The Monitor returned an 
> error [org.freedesktop.DBus.Error.NoReply]

Can you set the full set of logs, from both the domain log file and the 
sssd.log file? There was one user who reported issues with the files provider 
on fedora but we could never pin the issue down.

>
> Any ideas please?
>
> Also rather confusingly /etc/nsswitch.conf still has to be set with:  
>   passwd  files sss

Fedora switched the default to “sss files” in F-26. I wouldn’t recommend just 
“sss” because sssd doesn’t handle root by design (if sssd is misbehaving you 
really want to be able to log in as root to fix things..)

> The simpl eminded amongst us (me) thought that from the description of the 
> sssd files provider, the passwd and group file would be read at startup, 
> therefore all you would need is sss in the nsswitch.conf
> Clearly there is a huge hole of comprehension. Between my ears.
>
>
>
>
>
> ___
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgetfedora.org%2Fcode-of-conduct.html&data=01%7C01%7Cjohe%40novozymes.com%7Cdccd8e054da24e7a72ac08d5cfc9829f%7C43d5f49ee03a4d22a2285684196bb001%7C0&sdata=3sXxHlG6d%2F0qcJBmGBvuLABxprGJJbTqXeOLaT5HubM%3D&reserved=0
> List Guidelines: 
> https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproject.org%2Fwiki%2FMailing_list_guidelines&data=01%7C01%7Cjohe%40novozymes.com%7Cdccd8e054da24e7a72ac08d5cfc9829f%7C43d5f49ee03a4d22a2285684196bb001%7C0&sdata=IORN3ztfDoKQx%2BSnGODR2Pm54UZNe6m1Y%2FcwI1w64iU%3D&reserved=0
> List Archives: 
> https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedoraproject.org%2Farchives%2Flist%2Fsssd-users%40lists.fedorahosted.org%2Fmessage%2FZ45SFIFRWFRVXUBWV2OMMITLC4ODR6W4%2F&data=01%7C01%7Cjohe%40novozymes.com%7Cdccd8e054da24e7a72ac08d5cfc9829f%7C43d5f49ee03a4d22a2285684196bb001%7C0&sdata=SZU9mFU7b8cEv%2BjhHz4RRQyqCsoHWUIrWiY0DYImnLc%3D&reserved=0
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgetfedora.org%2Fcode-of-conduct.html&data=01%7C01%7Cjohe%40novozymes.com%7Cdccd8e054da24e7a72ac08d5cfc9829f%7C43d5f49ee03a4d22a2285684196bb001%7C0&sdata=3sXxHlG6d%2F0qcJBmGBvuLABxprGJJbTqXeOLaT5HubM%3D&reserved=0
List Guidelines: 
https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedoraproject.org%2Fwiki%2FMailing_list_guidelines&data=01%7C01%7Cjohe%40novozymes.com%7Cdccd8e054da24e7a72ac08d5cfc9829f%7C43d5f49ee03a4d22a2285684196bb001%7C0&sdata=IORN3ztfDoKQx%2BSnGODR2Pm54UZNe6m1Y%2FcwI1w64iU%3D&reserved=0
List Archives: 
https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.fedoraproject.org%2Farchives%2Flist%2Fsssd-users%40lists.fedorahosted.org%2Fmessage%2FNG2XM5WHSK2EP3K5TLOLWYKHJF7IY6QV%2F&data=01%7C01%7Cjohe%40novozymes.com%7Cdccd8e054da24e7a72ac08d5cfc9829f%7C43d5f49ee03a4d22a2285684196bb001%7C0&sdata=0tyEaVEA9vz0aKN9LnJ%2FEX%2BZCkvieob%2BQVA%2BmXLWEvg%3D&reserved=0
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/FD2AOA2WQ4TY4AD6CJAH3ZMWU3OPSIJ2/

[SSSD-users] Files provider - does not start properly ?

2018-06-11 Thread JOHE (John Hearns)

I am trying out the files providerwith sssd version 16.1 on Ubuntu Xenial.


In the configuration file I set enable_files_domain = True


sssd_implicit_files.log then says :

[sssd[be[implicit_files]]] [id_callback] (0x0010): The Monitor returned an 
error [org.freedesktop.DBus.Error.NoReply]


Any ideas please?


Also rather confusingly /etc/nsswitch.conf still has to be set with:
passwd  files sss

The simpl eminded amongst us (me) thought that from the description of the sssd 
files provider, the passwd and group file would be read at startup, therefore 
all you would need is sss in the nsswitch.conf

Clearly there is a huge hole of comprehension. Between my ears.





___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/Z45SFIFRWFRVXUBWV2OMMITLC4ODR6W4/

[SSSD-users] Refreshing tickets with msktutil

2018-06-08 Thread JOHE (John Hearns)

sssd version 1.15.0 running on Ubuntu Xenial.
In my setup sssd is not automatically refreshing computer account tickets after 
30 days, for some reason.

I found te msktutil package, which has a cron job which runs msktutil 
--auto-update each day.
So far so good.

However  msktutil --auto-update fails but  msktutil --update works OK.
Can anyone drop me a hint please why this might be so?
Snippets from the verbose output below.

/usr/sbin/msktutil --verbose --auto-update
-- get_default_keytab: Obtaining the default keytab name: FILE:/etc/krb5.keytab
 -- create_fake_krb5_conf: Created a fake krb5.conf file: 
/tmp/.msktkrb5.conf-V1URdr
 -- reload: Reloading Kerberos Context
 -- finalize_exec: SAM Account Name is: and$
 -- try_machine_keytab_princ: Trying to authenticate for and$ from local 
keytab...
 -- try_machine_keytab_princ: Error: krb5_get_init_creds_keytab failed 
(Preauthentication failed)
 -- try_machine_keytab_princ: Authentication with keytab failed





/usr/sbin/msktutil --verbose --update
-- get_default_keytab: Obtaining the default keytab name: FILE:/etc/krb5.keytab
 -- create_fake_krb5_conf: Created a fake krb5.conf file: 
/tmp/.msktkrb5.conf-QXmuHN
 -- reload: Reloading Kerberos Context
 -- finalize_exec: SAM Account Name is: and$
 -- try_machine_keytab_princ: Trying to authenticate for and$ from local 
keytab...
 -- switch_default_ccache: Using the local credential cache: 
FILE:/tmp/.mskt_krb5_ccache-ZChBdy
 -- finalize_exec: Authenticated using method 1






___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/M6PRA5MJYZLF4BBGAGM4RXMJSNK2VRJ6/

[SSSD-users] Strange behaviour with groups

2018-06-01 Thread JOHE (John Hearns)

I am seeing some very strange behaviour.

Very often when I issue the command 'groups   username' then only the local 
groups in /etc/group are returned.

Issue the command again then the list with the local groups plus the AD groups 
is returned.

In /etc/nsswitch.conf group:  files sss

I am altering the parameter ad_enable_gc to  False but this happened with is 
set to True also.


Any ideas please?
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/OAULBOFUXLR4OPUTLX6Y5QVBYOFF7FUM/

[SSSD-users] Long groups resolution time

2018-05-29 Thread JOHE (John Hearns)

I am still having a lot of problems with group resolution in sssd.

User logins can take anything up to two minutes, or longer.

When I time the commandgroups  username  for a selected username thish can 
take two or more minutes to return.

I have this set:


ldap_schema = ad
ldap_group_nesting_level = 0
ldap_groups_use_matching_rule_in_chain = True
ldap_initgroups_use_matching_rule_in_chain = True

How can one tell what the appropriate ldap_schema is for our AD controllers?



Also the information is not cached for long enough. I set

enum_cache_timeout = 1200
entry_cache_timeout = 5400
entry_cache_user_timeout = 5400
entry_cache_group_timeput = 5400

I really do not see groups information being cached for 90 minutes


___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/A6DDF2LU75ERIB7JIETCQ23IJLZM7RQN/

[SSSD-users] Cacheing of group entries

2018-05-23 Thread JOHE (John Hearns)

Another thing which is driving me batty

I log in via ssh.  there is a long pause while the 'groups' utility is run.
When I get a prompt I can type  'id  myusername' and get an instant response.
Five minutes later I open a new terminal on my desktop, and it hangs, again in 
the groups utility

I have set enum_cache_timeout to be 1200.  Should I be looking at other 
cacehing parameters please?
>From my nss stanza:

[nss]
filter_users = root, postfix, lightdm
filter_groups = root
enum_cache_timeout = 1200
entry_negative_timeout = 600


___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/7C2NGKJNUJE4YZVSY4RZWYW3UBB2RJQK/

[SSSD-users] Lightdm and the fail whale

2018-05-23 Thread JOHE (John Hearns)

Is anyone else using lighdm with sssd?

Specifically on Ubuntu Xenial.  I have sssd working, as I can ssh into the 
workstation using an account and password.


The display manager is very flaky indeed, and takes a lot to get it to open a 
desktop session.

I see this in the lightdm logs:

[+296.15s] DEBUG: Authenticate result for user johe: Success
[+296.15s] DEBUG: User johe authorized, but no account of that name exists


I have seen one report of this problem, and the only fix seems to be a restart 
of the lightdm service. Or a reboot.


Also in the syslog I see

May 23 11:08:31 ibis lightdm[7408]: ** (process:7673): WARNING **: Failed to 
open CK session: GDBus.Error:org.freedesktop.DBus.Error.ServiceUnknown: The 
name org.freedesktop.ConsoleKit was not provided by any .service files
May 23 11:08:31 ibis lightdm[7408]: Failed to write utmpx: No such file or 
directory

May 23 11:08:36 ibis gnome-session-binary[8547]: CRITICAL: We failed, but the 
fail whale is dead. Sorry
May 23 11:08:37 ibis lightdm[7408]: Failed to write utmpx: No such file or 
directory

Has anyone seen similar output?





___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/5D6XMCTE6TGJHINFOKGMHOG3J4DJ62Q4/

[SSSD-users] Re: Help with AD password

2018-05-17 Thread JOHE (John Hearns)

Thankyou Sumit.   I am increasing the log level and am looking at the logs as a 
login attempt is made.

I am sure there is something simple I need to adjust here.

From: Sumit Bose 
Sent: 17 May 2018 10:35:09
To: sssd-users@lists.fedorahosted.org
Subject: [SSSD-users] Re: Help with AD password

On Thu, May 17, 2018 at 08:22:27AM +, JOHE (John Hearns) wrote:
> I recently posted to this list regarding a very slow response when getting 
> the groups for a user.
>
> The fix was to set
>
> ldap_schema = rfc2307bis
>
>
> Now 'groups' and 'id' return very quickly.  As an aside, is there an easy way 
> to tell if rfc30172 or rfc3072bis are in operation on a given AD domain?
>
>
> The problem is now that my account cannot log in... My account is valid, and 
> I can do 'id johe' and 'getent passwd johe' where johe is my account name. I 
> just can't log in with my password.
>
> I am almost 100% sure my password is valid, as I can LDAP bind to the AD 
> controller and perform ldap searches.
>
>
> Any help on debugging this issue is welcome.
>
> BTW my sAMAccountName is JOHE  but I think this is not case sensitive, from 
> what I can see in the sssd logs.

Please have a look at
https://emea01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.pagure.org%2FSSSD.sssd%2Fusers%2Ftroubleshooting.html&data=01%7C01%7Cjohe%40novozymes.com%7Ca5aa5f9ffd85454921f908d5bbd1211f%7C43d5f49ee03a4d22a2285684196bb001%7C0&sdata=EuZ72a8oJKi9%2FtbmzHpP7aDdc7bGV3%2FNsBLdLaN5HvE%3D&reserved=0.

In your case the most interesting log files would be sssd_pam.log and
sssd_your.domain.name.log (and krb5_child.log if you use Kerberors
authentication). To get the most details here add debug_level=9 to the
[pam] and [domain/...] sections of sssd.conf.

bye,
Sumit

>
>
>
>

> ___
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

[SSSD-users] Help with AD password

2018-05-17 Thread JOHE (John Hearns)

I recently posted to this list regarding a very slow response when getting the 
groups for a user.

The fix was to set

ldap_schema = rfc2307bis


Now 'groups' and 'id' return very quickly.  As an aside, is there an easy way 
to tell if rfc30172 or rfc3072bis are in operation on a given AD domain?


The problem is now that my account cannot log in... My account is valid, and I 
can do 'id johe' and 'getent passwd johe' where johe is my account name. I just 
can't log in with my password.

I am almost 100% sure my password is valid, as I can LDAP bind to the AD 
controller and perform ldap searches.


Any help on debugging this issue is welcome.

BTW my sAMAccountName is JOHE  but I think this is not case sensitive, from 
what I can see in the sssd logs.




___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

[SSSD-users] Cache flushing after password change

2018-05-09 Thread JOHE (John Hearns)

I know I could look this one up in the docs somewhere...

If I have a Linux workstation which is using AD for the authentication provider.

If I change my password using a Windows machine, what then happens when I log 
into Linux if the Linux machine has

cached my credentials?
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

[SSSD-users] System is busy - mouse and keyboard not useable

2018-05-09 Thread JOHE (John Hearns)

I have set up sssd authentication on a Ubuntu Xenial workstation, with the 
Lightdm windowing manager.


When the sssd service starts the sssd_be process is taking 100% CPU. I am not 
that concerned with this.

However I see that when I am using the windowing system the mouse 'goes away' 
and sometimes the keyboard too,

ie there is no mouse pointer and the keyboard does not respond.  This says to 
me that the OS is very busy doing things,

and does not have time to service interrupts from the keyboard/mouse.

Has anyone else seen this behaviour?


I increased  the nss stanza to have  enum_cache_timeout = 1200

Clearly this will not help with the first enumeration - but it does keep the 
data for longer in the cache.


Also when sssd first starts up it seems to look at every account in the local 
/etc/passwd file and request information about it.

We have several hundred locally defined users in the passwd file at the moment.

Is this expected behaviour?  I would have though that only if an account 
actually makes a login attempt or uses a service then the information would be 
collected from AD/IPA/LDAP   I may be wrong and I am sure I will learn 
something here.




___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

[SSSD-users] Re: Server not found in Kerberos database and debug level 11

2018-05-03 Thread JOHE (John Hearns)

Jakub,

thankyou for your reply.  I have (almost!) got things working now.

I have removed the ldap parameters in the sssd.conf

I had a mixup with the AD controller hostname - it is ad.adtest.private and I 
think this was significant.

Now I am retrieving the user information from AD.

Still having problems with PAM, so I am sure I will be back (sorry!)

From: JOHE (John Hearns)
Sent: 03 May 2018 11:06:02
To: End-user discussions about the System Security Services Daemon
Subject: Re: [SSSD-users] Re: Server not found in Kerberos database and debug 
level 11

>> By the way, why does the debug level not go up to 11?

> Because 9 is the highest?

http://knowyourmeme.com/memes/these-go-to-11-spinal-tap

[http://i0.kym-cdn.com/entries/icons/facebook/000/003/182/Spinal_Tap_05.jpg]<http://knowyourmeme.com/memes/these-go-to-11-spinal-tap>

These go to 11 / Spinal Tap | Know Your 
Meme<http://knowyourmeme.com/memes/these-go-to-11-spinal-tap>
knowyourmeme.com
Origin Background The movie This Is Spinal Tap was made to be a humorous 
mockumentary of rock n’ roll culture. To this day it is considered to be one of

From: Jakub Hrozek 
Sent: 03 May 2018 09:43:33
To: End-user discussions about the System Security Services Daemon
Subject: [SSSD-users] Re: Server not found in Kerberos database and debug level 
11

> On 2 May 2018, at 17:54, JOHE (John Hearns)  wrote:
>
> I would appreciate some pointers.
> I have a sandbox setup running on VMs.  There is an AD controller using the 
> VM image which Microsoft has available for testing.
> I have created a domain called ad.test
>
> On my client machine I am continually getting this error:
> [sssd[be[adtest.private]]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error: 
> Unspecified GSS failure.  Minor code may provide more information (Server not 
> found in Kerberos database)
>

I find it easier to debug this kind of an issue with:
KRB5_TRACE=/dev/stderr ldapsearch -Y GSSAPI -H ldap://your.ad.dc -s base -b “”

Also, what version and on what OS are you running?

>
> On the client   klist-k | uniq returns
>
> KVNO Principal
>  
> --
>3 CLIENT1$@ADTEST.PRIVATE
>3 host/CLIENT1@ADTEST.PRIVATE
>3 host/client1@ADTEST.PRIVATE
>3 RestrictedKrbHost/CLIENT1@ADTEST.PRIVATE
>3 RestrictedKrbHost/client1@ADTEST.PRIVATE
>
> The funny thing is ONLY   kinit -k CLIENT1$\@ADTEST.PRIVATE   will work.

This is expected, only the client$@realm principal is a user/computer 
principal, the rest are service principals.

> I do get a tgt:
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: CLIENT1$@ADTEST.PRIVATE
>
> Just in the sandbox I am also setting:
> ldap_auth_disable_tls_never_use_in_production = true

Please don’t use this, not only it is very insecure, but also it doesn’t make 
any sense, this option is only useful if you use auth_provider=ldap. With 
id_provider/auth_provider=ad, TLS is not used, but GSSAPI is.

>
> Any pointers please?  I have cranked debug up to 8 and this error message 
> seems to be the crucial one.
>
> By the way, why does the debug level not go up to 11?

Because 9 is the highest?
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

[SSSD-users] Re: Server not found in Kerberos database and debug level 11

2018-05-03 Thread JOHE (John Hearns)

>> By the way, why does the debug level not go up to 11?

> Because 9 is the highest?

http://knowyourmeme.com/memes/these-go-to-11-spinal-tap

[http://i0.kym-cdn.com/entries/icons/facebook/000/003/182/Spinal_Tap_05.jpg]<http://knowyourmeme.com/memes/these-go-to-11-spinal-tap>

These go to 11 / Spinal Tap | Know Your 
Meme<http://knowyourmeme.com/memes/these-go-to-11-spinal-tap>
knowyourmeme.com
Origin Background The movie This Is Spinal Tap was made to be a humorous 
mockumentary of rock n’ roll culture. To this day it is considered to be one of

From: Jakub Hrozek 
Sent: 03 May 2018 09:43:33
To: End-user discussions about the System Security Services Daemon
Subject: [SSSD-users] Re: Server not found in Kerberos database and debug level 
11

> On 2 May 2018, at 17:54, JOHE (John Hearns)  wrote:
>
> I would appreciate some pointers.
> I have a sandbox setup running on VMs.  There is an AD controller using the 
> VM image which Microsoft has available for testing.
> I have created a domain called ad.test
>
> On my client machine I am continually getting this error:
> [sssd[be[adtest.private]]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error: 
> Unspecified GSS failure.  Minor code may provide more information (Server not 
> found in Kerberos database)
>

I find it easier to debug this kind of an issue with:
KRB5_TRACE=/dev/stderr ldapsearch -Y GSSAPI -H ldap://your.ad.dc -s base -b “”

Also, what version and on what OS are you running?

>
> On the client   klist-k | uniq returns
>
> KVNO Principal
>  
> --
>3 CLIENT1$@ADTEST.PRIVATE
>3 host/CLIENT1@ADTEST.PRIVATE
>3 host/client1@ADTEST.PRIVATE
>3 RestrictedKrbHost/CLIENT1@ADTEST.PRIVATE
>3 RestrictedKrbHost/client1@ADTEST.PRIVATE
>
> The funny thing is ONLY   kinit -k CLIENT1$\@ADTEST.PRIVATE   will work.

This is expected, only the client$@realm principal is a user/computer 
principal, the rest are service principals.

> I do get a tgt:
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: CLIENT1$@ADTEST.PRIVATE
>
> Just in the sandbox I am also setting:
> ldap_auth_disable_tls_never_use_in_production = true

Please don’t use this, not only it is very insecure, but also it doesn’t make 
any sense, this option is only useful if you use auth_provider=ldap. With 
id_provider/auth_provider=ad, TLS is not used, but GSSAPI is.

>
> Any pointers please?  I have cranked debug up to 8 and this error message 
> seems to be the crucial one.
>
> By the way, why does the debug level not go up to 11?

Because 9 is the highest?
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

[SSSD-users] Re: Server not found in Kerberos database and debug level 11

2018-05-03 Thread JOHE (John Hearns)

Jakub, thankyou for your reply.

Client OS is Ubuntu Xenial. Yes, I know...   pats favourite labrador goodbye. 
Sound of drawer opening and  service revolver being loaded...

I did realise that the option p_auth_disable_tls_never_use_in_production = true
the problem I have is that there is a CA cert on the Active Directory 
controller. But I cannot see if there is an SSL certificate.
I may well be misunderstanding things.

>Please don’t use this, not only it is very insecure, but also it doesn’t make 
>any sense, this option is only useful if you use auth_provider=ldap. With 
>id_provider/auth_provider=ad, TLS is not used, but GSSAPI is.

Aha. Thankyou for that information.
I then have to ask the assembled choir (as I am not at the pearly gates) - does 
AD in the default configuration have SSL certificate capability?
[https://ssl.gstatic.com/ui/v1/icons/mail/images/cleardot.gif]

From: Jakub Hrozek 
Sent: 03 May 2018 09:43:33
To: End-user discussions about the System Security Services Daemon
Subject: [SSSD-users] Re: Server not found in Kerberos database and debug level 
11

> On 2 May 2018, at 17:54, JOHE (John Hearns)  wrote:
>
> I would appreciate some pointers.
> I have a sandbox setup running on VMs.  There is an AD controller using the 
> VM image which Microsoft has available for testing.
> I have created a domain called ad.test
>
> On my client machine I am continually getting this error:
> [sssd[be[adtest.private]]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error: 
> Unspecified GSS failure.  Minor code may provide more information (Server not 
> found in Kerberos database)
>

I find it easier to debug this kind of an issue with:
KRB5_TRACE=/dev/stderr ldapsearch -Y GSSAPI -H ldap://your.ad.dc -s base -b “”

Also, what version and on what OS are you running?

>
> On the client   klist-k | uniq returns
>
> KVNO Principal
>  
> --
>3 CLIENT1$@ADTEST.PRIVATE
>3 host/CLIENT1@ADTEST.PRIVATE
>3 host/client1@ADTEST.PRIVATE
>3 RestrictedKrbHost/CLIENT1@ADTEST.PRIVATE
>3 RestrictedKrbHost/client1@ADTEST.PRIVATE
>
> The funny thing is ONLY   kinit -k CLIENT1$\@ADTEST.PRIVATE   will work.

This is expected, only the client$@realm principal is a user/computer 
principal, the rest are service principals.

> I do get a tgt:
> Ticket cache: FILE:/tmp/krb5cc_0
> Default principal: CLIENT1$@ADTEST.PRIVATE
>
> Just in the sandbox I am also setting:
> ldap_auth_disable_tls_never_use_in_production = true

Please don’t use this, not only it is very insecure, but also it doesn’t make 
any sense, this option is only useful if you use auth_provider=ldap. With 
id_provider/auth_provider=ad, TLS is not used, but GSSAPI is.

>
> Any pointers please?  I have cranked debug up to 8 and this error message 
> seems to be the crucial one.
>
> By the way, why does the debug level not go up to 11?

Because 9 is the highest?
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

[SSSD-users] Server not found in Kerberos database and debug level 11

2018-05-02 Thread JOHE (John Hearns)

I would appreciate some pointers.

I have a sandbox setup running on VMs.  There is an AD controller using the VM 
image which Microsoft has available for testing.

I have created a domain called ad.test


On my client machine I am continually getting this error:

[sssd[be[adtest.private]]] [ad_sasl_log] (0x0040): SASL: GSSAPI Error: 
Unspecified GSS failure.  Minor code may provide more information (Server not 
found in Kerberos database)



On the client   klist-k | uniq returns


KVNO Principal
 --
   3 CLIENT1$@ADTEST.PRIVATE
   3 host/CLIENT1@ADTEST.PRIVATE
   3 host/client1@ADTEST.PRIVATE
   3 RestrictedKrbHost/CLIENT1@ADTEST.PRIVATE
   3 RestrictedKrbHost/client1@ADTEST.PRIVATE


The funny thing is ONLY   kinit -k CLIENT1$\@ADTEST.PRIVATE   will work.

I do get a tgt:

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: CLIENT1$@ADTEST.PRIVATE


Just in the sandbox I am also setting:

ldap_auth_disable_tls_never_use_in_production = true


Any pointers please?  I have cranked debug up to 8 and this error message seems 
to be the crucial one.


By the way, why does the debug level not go up to 11?


















___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

[SSSD-users] Re: Realm says Necessary packages are not installed

2018-04-26 Thread JOHE (John Hearns)

Thankyou Sumit. the problem was indeed packagekit

I solved it by apt instal lpackagekit



From: Sumit Bose 
Sent: 25 April 2018 19:27
To: sssd-users@lists.fedorahosted.org
Subject: [SSSD-users] Re: Realm says Necessary packages are not installed

On Wed, Apr 25, 2018 at 02:55:33PM +, JOHE (John Hearns) wrote:
> Following a lovely day of fun and games with my physical workstation, where I 
> borked the authentication so much that I had to boot it from a sysrescue 
> thumb drive 
> (https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.system-rescue-cd.org%2F&data=01%7C01%7Cjohe%40novozymes.com%7C9da285313dcb4ae9d04f08d5aad1d132%7C43d5f49ee03a4d22a2285684196bb001%7C0&sdata=jxoj%2FAOIVuLRZf0D24eaW%2Btor3RaTxgcIzJluhBlE6E%3D&reserved=0
>I sleep with one of these under my pillow)
>
>
> I have decided to experiment with some VMs (Vagrant / Virtualbox / Ubuntu)
>
> When I run realm join   domainname   I get:
>
> realmd[7008]:  ! Necessary packages are not installed: sssd-tools sssd 
> libnss-sss libpam-sss adcli

By default realmd tries to lookup and install packages with package-kit.
I guess this is not available on your system. Please try to set

[service]
automatic-install = no

in /etc/realmd.conf, see man realmd.conf for details.

HTH

bye,
Sumit

>
>
> Those packages definitely are installed...
>
> I guess others have seen this message?  Yeah, Google is my friend
>
>
> SystemRescueCd - System Rescue Cd 
> Homepage<https://emea01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.system-rescue-cd.org%2F&data=01%7C01%7Cjohe%40novozymes.com%7C9da285313dcb4ae9d04f08d5aad1d132%7C43d5f49ee03a4d22a2285684196bb001%7C0&sdata=jxoj%2FAOIVuLRZf0D24eaW%2Btor3RaTxgcIzJluhBlE6E%3D&reserved=0>
> https://emea01.safelinks.protection.outlook.com/?url=www.system-rescue-cd.org&data=01%7C01%7Cjohe%40novozymes.com%7C9da285313dcb4ae9d04f08d5aad1d132%7C43d5f49ee03a4d22a2285684196bb001%7C0&sdata=OHo9bCnxdcdUBjM9LMF3bCD0NL04hESXMTKDULWktU0%3D&reserved=0
> About SystemRescueCd. Description: SystemRescueCd is a Linux system rescue 
> disk available as a bootable CD-ROM or USB stick for administrating or 
> repairing your system and data after a crash.
>
>
>
>
>

> ___
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

[SSSD-users] Realm says Necessary packages are not installed

2018-04-25 Thread JOHE (John Hearns)

Following a lovely day of fun and games with my physical workstation, where I 
borked the authentication so much that I had to boot it from a sysrescue thumb 
drive (http://www.system-rescue-cd.org/   I sleep with one of these under my 
pillow)


I have decided to experiment with some VMs (Vagrant / Virtualbox / Ubuntu)

When I run realm join   domainname   I get:

realmd[7008]:  ! Necessary packages are not installed: sssd-tools sssd 
libnss-sss libpam-sss adcli


Those packages definitely are installed...

I guess others have seen this message?  Yeah, Google is my friend


SystemRescueCd - System Rescue Cd Homepage
www.system-rescue-cd.org
About SystemRescueCd. Description: SystemRescueCd is a Linux system rescue disk 
available as a bootable CD-ROM or USB stick for administrating or repairing 
your system and data after a crash.





___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

[SSSD-users] Re: problems with sssd-1.9

[SSSD-users] Re: one user can't be looked up

[SSSD-users] Re: sss_override user-export is empty

[SSSD-users] Re: Files provider - does not start properly ?

[SSSD-users] Re: Files provider - does not start properly ?

[SSSD-users] Re: Files provider - does not start properly ?

[SSSD-users] Files provider - does not start properly ?

[SSSD-users] Refreshing tickets with msktutil

[SSSD-users] Strange behaviour with groups

[SSSD-users] Long groups resolution time

[SSSD-users] Cacheing of group entries

[SSSD-users] Lightdm and the fail whale

[SSSD-users] Re: Help with AD password

[SSSD-users] Help with AD password

[SSSD-users] Cache flushing after password change

[SSSD-users] System is busy - mouse and keyboard not useable

[SSSD-users] Re: Server not found in Kerberos database and debug level 11

[SSSD-users] Re: Server not found in Kerberos database and debug level 11

[SSSD-users] Re: Server not found in Kerberos database and debug level 11

[SSSD-users] Server not found in Kerberos database and debug level 11

[SSSD-users] Re: Realm says Necessary packages are not installed

[SSSD-users] Realm says Necessary packages are not installed

22 matches

Site Navigation

Mail list logo

Footer information