Hi
Facing an issue where kinit defaults to using realm name in lowercase. Im
switching to the user and execute 'kinit'
the krb5kdc.log shows that it uses lowercased realm name and kinit gives an
e-text error..
if I run as same user: kinit username it will add @REALM.. i did use "su" to
become
On Thu, 2017-10-19 at 14:13 +0200, Winberg, Adam wrote:
>
> Got smartcard auth working once I added my smart card cert to my user account
> in AD. So thats good! Kerberos/pkinit seems to work also (I already had that
> setup to work with pam_krb5 before), also good!
>
> But is adding the smartc
On Thu, 2017-10-19 at 02:59 +0200, Günther J. Niederwimmer wrote:
> Am Mittwoch, 18. Oktober 2017, 14:49:58 CEST schrieb Simo Sorce:
> > On Wed, 2017-10-18 at 14:46 +0200, Günther J. Niederwimmer wrote:
> >
> > > Hello,
> > >
> > > CentOS 7.4
> > > I mean this is a old question :-(.
> > > but is
Got smartcard auth working once I added my smart card cert to my user
account in AD. So thats good! Kerberos/pkinit seems to work also (I already
had that setup to work with pam_krb5 before), also good!
But is adding the smartcard cert to AD accounts the 'correct' way to go
about this or is there
I've been debugging the OCSP issue as well and we can see that the OCSP
server responds to the request. This response is signed by a cert which is
issued by our CA, and that cert is indeed in my nssdb. So should this not
work? Do I have to have the actual OCSP server cert in nssdb, does
certificate
Thanks for your answers!
Yes, please check man sssd-krb5 and the option that include 'renew' in
their name, e.g. "krb5_renewable_lifetime".
After reading the manpage, I thought that this only affects auths via krb5 -
however, our auth_provider is ad. Am I wrong here?
The ad provider is a AD-s
Thanks a bunch, disabling oscp verification works (and to test with
p11_child you can set the parameter '--verify=no_ocsp').
So, now I can see in debug logs that sssd finds my smartcard certificate
but now it fails trying to verify it against the provider (AD). So what are
the requirements for thi
On Thu, Oct 19, 2017 at 11:40:39AM +0200, Michael Löffler wrote:
> Hi,
>
> > Yes, please check man sssd-krb5 and the option that include 'renew' in
> > their name, e.g. "krb5_renewable_lifetime".
> After reading the manpage, I thought that this only affects auths via krb5 -
> however, our auth_pro
Hi,
> Yes, please check man sssd-krb5 and the option that include 'renew' in
> their name, e.g. "krb5_renewable_lifetime".
After reading the manpage, I thought that this only affects auths via
krb5 - however, our auth_provider is ad. Am I wrong here?
> But please note that only tickets acquire
On Thu, Oct 19, 2017 at 10:57:13AM +0200, Winberg, Adam wrote:
> I'm trying to get smartcard auth working with sssd on RHEL 7.4. We
> currently use a pam_pkcs11/pam_krb5 setup and I was hoping to simplify this
> by using sssd instead. Unfortunately I cant get it to work, sssd does not
> seem to det
I'm trying to get smartcard auth working with sssd on RHEL 7.4. We
currently use a pam_pkcs11/pam_krb5 setup and I was hoping to simplify this
by using sssd instead. Unfortunately I cant get it to work, sssd does not
seem to detect my smartcard certificate.
Running p11_child I get the following:
Strace showed this on sssd when trying to stop:
kill(4294949261, SIGTERM) = -1 ESRCH (No such process)
wait4(18035, 0x7ffe42ce03ac, WNOHANG, NULL) = 0
And I found this:
type=SYSCALL msg=audit(1508398680.127:110): arch=c03e syscall=109
success=yes exit=0 a0=4715 a1=4715 a2=4715 a
On Thu, Oct 19, 2017 at 07:28:53AM +, Hampus Lundqvist wrote:
> Hi.
> Ok, thanks for the answer.
> I just tested installing the sssd-1.15.3-1.1.el6.x86_64 from the repository
> on copr.
> It started and seems to work, until I do a service sssd stop. It hangs and
> will not stop using the nor
Hi.
Ok, thanks for the answer.
I just tested installing the sssd-1.15.3-1.1.el6.x86_64 from the repository on
copr.
It started and seems to work, until I do a service sssd stop. It hangs and will
not stop using the normal signals, any experience in how to to get that one
working (is it possible
On Thu, Oct 19, 2017 at 08:41:42AM +0200, Hampus Lundqvist wrote:
> Hello
>
> Im searching for a solution to use shortnames for users from both
> FreeIPA(4.5) realm and a from a Trusted AD realm, I'm using Centos6.9
> which has sssd 1.13.
>
> I’m doing it for the centos7’s using domain resolution
15 matches
Mail list logo
