All,
Below is a writeup of missing AD groups for accounts when using
tokengroups. When not using tokengroups, sssd is rock solid.
Yes, most of the missing AD groups are universal or global groups -- but
not all! For some accounts, even domain-local AD groups are missed from
their group
On Mon, Jul 09, 2018 at 01:45:57PM +0200, John Hearns wrote:
> One stupid question - is there an easy(ish) way to tell how deep a group
> heirarachy exists on a particular site?
I don't think so, without trying. However, looking at the code now, the
default nesting limit is only two levels deep
On Fri, 2018-07-06 at 10:55 +0200, Sumit Bose wrote:
>
> this makes SSSD assume that the user is not a member of any group.
>
> Please try to set 'ldap_use_tokengroups=False' (see man sssd-ldap for
> details) and check if the group memberships are reported more
> reliable.
>
> Afaik the issue
On Mon, Jul 9, 2018 at 8:19 AM Ondrej Valousek
wrote:
> Is there any way how can we recreate system keytab file of a machine
> joined to AD if the file has been broken/deleted?
>
> I want to avoid doing join again as this would probably delete the
> existing account (with all attributes we have
Talking about renewing keys.
In our setup we use a service account which has the rights to join machines
to the domain, the Linux workstations are in s special OU.
I run a cron job which calls msktutil --auto-update every day to renew the
machine password if over 30 days.
As discussed in another
One stupid question - is there an easy(ish) way to tell how deep a group
heirarachy exists on a particular site?
On 9 July 2018 at 13:36, Jakub Hrozek wrote:
> On Fri, Jul 06, 2018 at 01:41:38PM +, Ratliff, John wrote:
> >
> >
> > On Fri, 2018-07-06 at 10:55 +0200, Sumit Bose wrote:
> > >
On Mon, Jul 09, 2018 at 02:20:31PM +, Ondrej Valousek wrote:
> Thanks,
> "net ads keytab create" does work, but it populates my keytab with all
> accounts (user and computer) that can be found in AD - i.e. pretty dangerous.
> I would like to add it some parameter to only will with entries
On Mon, 9 Jul 2018, Ondrej Valousek wrote:
Thanks,
"net ads keytab create" does work, but it populates my keytab with all
accounts (user and computer) that can be found in AD - i.e. pretty
dangerous. I would like to add it some parameter to only will with entries
relevant for my computer -
Thanks,
"net ads keytab create" does work, but it populates my keytab with all accounts
(user and computer) that can be found in AD - i.e. pretty dangerous.
I would like to add it some parameter to only will with entries relevant for my
computer - i.e. something like:
Net ads keytab create
On Mon, Jul 09, 2018 at 12:19:09PM +, Ondrej Valousek wrote:
> Hi List,
>
> Is there any way how can we recreate system keytab file of a machine joined
> to AD if the file has been broken/deleted?
> I want to avoid doing join again as this would probably delete the existing
> account (with
Hi List,
Is there any way how can we recreate system keytab file of a machine joined to
AD if the file has been broken/deleted?
I want to avoid doing join again as this would probably delete the existing
account (with all attributes we have set).
Thanks,
Ondrej
-
The information
On Fri, Jul 06, 2018 at 09:02:25AM -0700, Peter Moody wrote:
> On Tue, Jul 3, 2018 at 11:45 PM Sumit Bose wrote:
> >
> > On Thu, Jun 28, 2018 at 07:46:29PM -0700, Peter Moody wrote:
> > > are there any logs I can provide to help anyone figure out why this is
> > > happening? I've (re-)confirmed
On Fri, Jul 06, 2018 at 01:41:38PM +, Ratliff, John wrote:
>
>
> On Fri, 2018-07-06 at 10:55 +0200, Sumit Bose wrote:
> > On Thu, Jul 05, 2018 at 08:09:55PM +, Ratliff, John wrote:
> > >
> >
> > (Thu Jul 5 16:04:42 2018) [sssd[be[ads.iu.edu]]] [sdap_print_server]
> > (0x2000):
13 matches
Mail list logo
