Maybe this is what you are looking for?
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/mapping-selinux.html
-Justin
On 04/14/2017 11:29 AM, Alex Thomas wrote:
I am sure this is hiding in the docs somewhere but
On 03/17/2017 11:27 AM, Kilborn, Jim wrote:
Jakub,
Thanks for the response...
I already had the selinux_provider=none in the sssd.conf
Tthe sssd.conf is identical on both clients, with the exception of ipa_hostname
[domain/ipa.mydomain.org]
selinux_provider = none
cache_credentials = True
krb
Could you please explain further what you are trying to accomplish with
an AD trust default group? I believe we are following the standard linux
convention of creating a user private group using the ID number which
matches the uid number for AD trust users.
Kind regards,
Justin Stephenson
eliminate the need for the compat tree so this could be related to
the issue if newer ubuntu clients are not working but CentOS is working.
What version of sssd are you running?
Kind regards,
Justin Stephenson
On 08/12/2016 02:35 PM, Jeff Goddard wrote:
I made the edit as suggested - removing ni
Host
'+nonproduction' ... MATCH!//
//Aug 12 14:20:32 sudo[25075] <- sudo_sss_check_host @
./sssd.c:614 := true/
Kind regards,
Justin Stephenson
On 08/12/2016 10:00 AM, Jeff Goddard wrote:
The rule is defined that all members of the developer group have sudo
acce
$(hostname) --service sudo
Kind regards,
Justin Stephenson
On 08/11/2016 02:24 PM, Jeff Goddard wrote:
Here is relevant configuration files:
*nsswitch.conf:*
passwd: compat sss
group: compat sss
shadow: compat sss
gshadow:files
hosts: files dns
networks:
this in
/var/log/sssd/krb5_child.log
This is explained better than I could here:
The anatomy of a trusted identity lookup
https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-ipa-ad-trust-deployments/
Kind regards,
Justin Stephenson
Thanks,
Guy
O
g
You can also send the debug logs here for review.
Make sure logins and lookups are working on the IPA server first before
troubleshooting the IPA client.
Kind regards,
Justin Stephenson
On 08/09/2016 07:32 PM, Guy Knights wrote:
I've set up a freeipa server on a centos 7 machine and have
general a lot of users are moving towards sssd
automatic ID mapping which means there is no administrative management
of uid/gid values.
There may be some other purpose for IDMU that I am not aware of...
Kind regards,
Justin Stephenson
On 07/25/2016 10:54 AM, Jan Karásek wrote:
Hi,
just for
the
external and POSIX groups you created during the trust setup.
Once done try restarting sssd and removing the /var/lib/sss/db/* cache
Kind regards,
Justin Stephenson
On 07/21/2016 07:56 AM, Jan Karásek wrote:
Thank you.
Now I have IDMU installed and when creating trust, IPA is correctly
Could you please share with us the /var/log/ipaclient-install.log ?
Kind regards,
Justin Stephenson
On 07/20/2016 01:23 PM, Rubin Binder wrote:
Hello all,
I am testing Free IPA server for use under a test environment, so far smooth
sailing and have it up and running, no problems.
The
msSFU30MaxGidNumber
Replacing the root suffix in the search base, the ip-address and bind
credentials.
Kind regards,
Justin Stephenson
On 07/20/2016 08:15 AM, Jan Karásek wrote:
Hi,
thank you for the hint.
In the /usr/lib/python2.7/site-packages/ipalib/plugins/trust.py:
It's working
e function definition in
/usr/lib/python2.7/site-packages/ipalib/plugins/trust.py
I would suggest reviewing the output of 'ipa idrange-find' to confirm
that the range matches up with the uid and gidNumbers of your AD
environment.
Kind regards,
Justin Stephenson
On 07/19/2016 09:44 A
x27;ldb-tools' rpm
For example:
ldbsearch -H /var/lib/sss/db/cache_.ldb >
ldbsearch-first-id-command.ldb
ldbsearch -H /var/lib/sss/db/cache_.ldb >
ldbsearch-after-ssh-attempt.ldb
Kind regards,
Justin Stephenson
On 07/13/2016 03:14 PM, Sullivan, Daniel [AAA] wrote:
Jakub,
about the HBAC rule
'cri-cri_server_administrators_allow_all' and how it is configured?
# ipa hbacrule-show 'cri-cri_server_administrators_allow_all'
Kind regards,
Justin Stephenson
On 07/12/2016 04:11 PM, Sullivan, Daniel [AAA] wrote:
Hi,
I am experiencing an HBAC i
testing. On the CLI or WebUI you can
modify the custom roles as you see fit. Red Hat documentation on RBAC below:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/defining-roles.html
Kind regards,
Justin Stephenso
I have used the following successfully in the past:
[shared]
path = /home/shared
valid users = @ad_admins
read only = No
guest ok = Yes
This requires the sssd-libwbclient rpm which may be installed already as
a dependency.
-Justin
On 03
Hello,
Are you looking for this? This leverages the AD trust to allow samba
within IPA to resolve AD users from a trusted AD domain/forest
*Howto/Integrating a Samba File Server With IPA*
http://www.freeipa.org/page/Howto/Integrating_a_Samba_File_Server_With_IPA
-Justin
On 0
18 matches
Mail list logo