e.g. ssh public key which would bypass AD DCs during
authentication completely?
> On 3 Aug 2018, at 17:15, Galen Johnson wrote:
>
> Hey,
>
> I'm wondering if SSSD might not be updating some of the logon attributes in
> AD. We recently were directed to use updated DCs and
Hey,
I'm wondering if SSSD might not be updating some of the logon attributes in AD.
We recently were directed to use updated DCs and some attributes no longer
seem to be getting updated; for example, logonCount and lastLogon. In some
cases, the attribute is non-existant. I'm leaning toward
Just to circle back to this. He is seeing the same versions. I expect
this is something to take up with the Gentoo maintainers...or see if there
is a different overlay that is more current.
On Wed, May 16, 2018 at 11:08 AM Galen Johnson wrote:
> Unfortunately, that's not how t
:
> I use Gentoo and there I have a choice, up to 1.3.3. I want to use
> whatever everyone else uses to avoid problems.
> 1.2.2 should be fine then from what you just told me.
> What about 1.3.x ? Latest samba uses this so soon I guess we have to pull
> it in.
>
> Jocke
The version may depend on your OS. For example, on RHEL/CentOS 7.5, it has
1.2.2. Is there any reason to believe that the version of ldb on your
system is incompatible with your version of sssd?
=G=
On Wed, May 16, 2018 at 8:36 AM Joakim Tjernlund <
joakim.tjernl...@infinera.com> wrote:
> Whic
You can always sniff the network between the client and servers to see
which ports traffic is going over. Wireshark can do this or your firewall
admin may be able to grab a trace. It's ugly, but it will tell you every
port used (even ephemeral ones).
=G=
On Wed, Mar 14, 2018 at 4:34 PM, Roger M
It should be noted that I'm not using FreeIPA. This _might_ work since
it's working when you try it from the commandline:
account required pam_exec.so /sbin/mkhomedir_helper $PAM_USER
Of course, that's essentially what the pam_mkhomedir module is doing...
Is there any chance SELinux is getting
This is most likely due to the nfs mount having 'root_squash" set which
prevents remote servers root from from writing as root (typically nobody or
nfsnobody). If you are confident that the servers are secure, you could
mount the NFS share with 'no_root_squash'. It has some security concerns
but
exec. :facepalm:
=G=
From: Lukas Slebodnik
Sent: Tuesday, December 5, 2017 10:46 AM
To: End-user discussions about the System Security Services Daemon
Subject: [SSSD-users] Re: Stupid question
EXTERNAL
On (05/12/17 15:36), Galen Johnson wrote:
>He
Hey,
I must be doing something stupid but how can I view the schema for the domain
cache? A few weeks ago, Sumit helped me update the schemas to add a missing
index and fix a case sensitivity issue for the mail attribute?:?
dn: @INDEXLIST
changetype: modify
add: @IDXATTR
@IDXATTR: ghost
dn:
To: End-user discussions about the System Security Services Daemon
Subject: [SSSD-users] Re: case sensitive email
EXTERNAL
On (14/11/17 08:34), Sumit Bose wrote:
>On Fri, Nov 10, 2017 at 02:53:55PM +0000, Galen Johnson wrote:
>> ?Hey,
>>
>>
>> We've recently not
Thanks. I've sent them to you directly.
=G=
From: Sumit Bose
Sent: Tuesday, November 14, 2017 2:34 AM
To: sssd-users@lists.fedorahosted.org
Subject: [SSSD-users] Re: case sensitive email
EXTERNAL
On Fri, Nov 10, 2017 at 02:53:55PM +0000, Galen Jo
It's possible that whatever is causing this is in the nss module since it
appears that the lowercase address is found where mixed case is not. Previous
comment pertained to domain logs. Just browsed the nss log. Still stymied...
=G=
From: Galen Johnson
Up to that point the
logs are essentially identical.
I'm stymied.
=G=
____
From: Galen Johnson
Sent: Monday, November 13, 2017 6:52 PM
To: End-user discussions about the System Security Services Daemon
Subject: Re: case sensitive email
I've done a bit m
he ldap search...however, if I
remove the krb properties from sssd.conf, then email doesn't work at all. This
used to work. The only thing that has changed that I am aware of is the
version of SSSD on the system.
=G=
________
From: Galen Johnson
Sent: Friday,
IN.COM]]]
> [be_pam_handler_callback] (0x0400): SELinux provider doesn't exist, not
> sending the request to it.
> (Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMAIN.COM]]]
> [be_pam_handler_callback] (0x0100): Sending result [0][MYDOMAIN.COM]
> (Fri Nov 10 17:01:22 2017) [sssd[be[MYDOMA
?Hey,
We've recently noticed that users logging in using emails are having issues
when they use camel case but it works fine when all lower case. We haven't
changed the configs so
case_sensitive = preserving?
has not changed. Could the behavior have changed with a recent update. We are
dmail
> --with-rundir=/var/run/sudo --mandir=/usr/share/man
> --libexecdir=/usr/lib/sudo --with-sssd
> --with-sssd-lib=/usr/lib/x86_64-linux-gnu
> --with-selinux --with-linux-audit
>
>
> Is it ok?
>
> What can I check now?
>
>
>
>
>
>
>
>
>
>
Try 'sudo sudo --version'. I got the same output as you until I ran sudo
--version with root privs.
=G=
On Fri, Nov 10, 2017 at 3:45 AM, Andrea Passuello <
andrea.passue...@widegroup.eu> wrote:
> Thanks for the answers.
>
> # dpkg -l | grep sudo
> ii libsss-sudo
> 1.13.4-1ubuntu1.8
: sssd email login performance
EXTERNAL
On Tue, Oct 03, 2017 at 01:35:29PM +, Galen Johnson wrote:
> Thanks, Sumit.
>
> In the interim, is there a way to override the lookup behavior to force sssd
> to assume email address over domain (this is a single domain environment)? I
ber 4, 2017 9:30 AM
To: End-user discussions about the System Security Services Daemon
Subject: [SSSD-users] Re: sssd email login performance
EXTERNAL
On (04/10/17 13:23), Galen Johnson wrote:
>We have millions of entries in the OU and our clients don't see all the
>entries since we d
il login performance
EXTERNAL
On (04/10/17 12:46), Galen Johnson wrote:
>It's possible as we've had that happen in the past (and complained loudly to
>the team that keeps doing it). Is there any way to read those files to see
>which users/groups are contained in them so we ca
d email login performance
EXTERNAL
On (04/10/17 12:18), Galen Johnson wrote:
>Thanks, again, Sumit. We recently switched to using tmpfs for the caching
>database (per
>https://jhrozek.wordpress.com/2015/08/19/performance-tuning-sssd-for-large-ipa-ad-trust-deployments/)
> but I don&
her cached data)?
thanks
=G=
From: Sumit Bose
Sent: Wednesday, October 4, 2017 5:58 AM
To: sssd-users@lists.fedorahosted.org
Subject: [SSSD-users] Re: sssd email login performance
EXTERNAL
On Tue, Oct 03, 2017 at 01:35:29PM +, Galen Johnson wrote:
> Tha
, October 3, 2017 5:18 AM
To: sssd-users@lists.fedorahosted.org
Subject: [SSSD-users] Re: sssd email login performance
EXTERNAL
On Mon, Oct 02, 2017 at 06:21:05PM +, Galen Johnson wrote:
> ?Did this make it to the list? I really wish I could see my own posts.
>
I found them on the "HyperKitty" site...
thanks
On Mon, Oct 2, 2017 at 5:52 PM, Galen Johnson wrote:
> Hey,
>
> Where are the list archives? I went to lists.fedorahosted.org but I
> ended up on 2 different sites that wanted me to sign-up/login and neither
>
Hey,
Where are the list archives? I went to lists.fedorahosted.org but I ended
up on 2 different sites that wanted me to sign-up/login and neither worked.
thanks
=G=
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send
?Did this make it to the list? I really wish I could see my own posts.
=G=
From: Galen Johnson
Sent: Thursday, September 28, 2017 3:28 PM
To: End-user discussions about the System Security Services Daemon
Subject: Fw: sssd email login performance
Adding the
Adding the list since Sumit appears to be busy. The info is anonymized so it
should be ok. Hopefully, the gz file makes it through.
=G=?
From: Galen Johnson
Sent: Thursday, September 21, 2017 5:36 PM
To: Sumit Bose
Cc: Philip Holman
Subject: sssd email login
Hey,
Pretty sure the answer is no but there are some packages that allow you to set
up your systems to use a database as the provider for nss and pam
(libnss_mysql, libpam_mysql)...does sssd support this configuration?
thx
=G=
___
sssd-users maili
sssd.
=G=
From: Sumit Bose
Sent: Friday, September 15, 2017 4:14 PM
To: sssd-users@lists.fedorahosted.org
Subject: [SSSD-users] Re: sssd email login performance
EXTERNAL
On Fri, Sep 15, 2017 at 06:00:55PM +0000, Galen Johnson wrote:
> ?Bump. I can&#
?Bump. I can't tell if this made it to the list since I don't see my own
postings...
=G=
____
From: Galen Johnson
Sent: Wednesday, September 13, 2017 9:12 AM
To: sssd-users@lists.fedorahosted.org
Subject: sssd email login performance
Hey,
We'
I would suggest asking on the postfix list. They are pretty responsive.
However, you don't need to set up a link, you can just include another pam file
in the existing pam file...the smtp pam file likely already has this. Of
course, I may be misunderstanding your question.
=G=
___
Hey,
We're looking into why our servers are suddenly less performant with
authentications than they used to be. We have SSSD set up to allow users to
login with their email address. However, the email addresses are from various
domains. It appears that sssd still attempts to break apart the
yes, please go ahead and file the ticket, just please note this is not a
totally trivial request.
> On 6 Sep 2017, at 15:55, Galen Johnson wrote:
>
> Thanks. I figured it out right after I sent the email (isn't that usually
> the case? :-/)
>
> As for the transaction i
track request
nesting.
But yes, please go ahead and file the ticket, just please note this is not a
totally trivial request.
> On 6 Sep 2017, at 15:55, Galen Johnson wrote:
>
> Thanks. I figured it out right after I sent the email (isn't that usually
> the case? :-/)
>
&g
Sent: Wednesday, September 6, 2017 10:10 AM
To: sssd-users@lists.fedorahosted.org
Subject: [SSSD-users] Re: millisecond time stamps
EXTERNAL
On 09/06/2017 03:55 PM, Galen Johnson wrote:
> Thanks. I figured it out right after I sent the email (isn't that usually
> the case? :-/)
&
Sent: Wednesday, September 6, 2017 9:50 AM
To: sssd-users@lists.fedorahosted.org
Subject: [SSSD-users] Re: millisecond time stamps
EXTERNAL
On 09/06/2017 03:35 PM, Galen Johnson wrote:
> I'm not seeing a change in my logs...I added the following to the [sssd]
> section
>
> debug_microse
ystem?
=G=
____
From: Galen Johnson
Sent: Wednesday, September 6, 2017 9:27 AM
To: End-user discussions about the System Security Services Daemon
Subject: Re: [SSSD-users] Re: millisecond time stamps
wow...no wonder I missed it...I was looking for milli :-).
EXTERNAL
On (05/09/17 20:47), Galen Johnson wrote:
>Hello,
>
>Is it possible to get sssd to log millisecond timestamps? It only logs to the
>second and that makes it difficult correlate the flow through various logs
>while tracking a (potential) performance issue.
>
Su
Hello,
Is it possible to get sssd to log millisecond timestamps? It only logs to the
second and that makes it difficult correlate the flow through various logs
while tracking a (potential) performance issue.
thanks
=G=?
___
sssd-users mailing list
I was going to point you to the troubleshooting doc at
fedorahosted.org/sssd/wiki/Troubleshooting but since that site points you to
pagure.io and the links on pagure.io point you back there, I'm not sure where
to look for that any longer. There are a few other sites if you look for "sssd
troub
AM
To: sssd-users@lists.fedorahosted.org
Subject: [SSSD-users] Re: case sensitivity
On Mon, Apr 24, 2017 at 07:18:17PM +0000, Galen Johnson wrote:
> Hey,
>
>
> I have a question about email logins and case sensitivity. If you configure
> sssd to allow logins by email, can you
thanks...I'll give that a shot...
=G=
From: Jakub Hrozek
Sent: Tuesday, April 25, 2017 2:30 AM
To: sssd-users@lists.fedorahosted.org
Subject: [SSSD-users] Re: case sensitivity
On Mon, Apr 24, 2017 at 07:18:17PM +0000, Galen Johnson wrote:
> Hey,
Hey,
I have a question about email logins and case sensitivity. If you configure
sssd to allow logins by email, can you set it up to be case insensitive yet
still require normal account logins to be case sensitive? We want to allow
users to authenticate with their email address or their acco
ssage help
On Fri, Jan 27, 2017 at 02:20:39PM +0000, Galen Johnson wrote:
> I am indeed using id_provider=ldap. Thanks for the info. Reading through
> the linked issues, there appears to be no way to "turn them off" currently.
> Is that true or will we need to wait for an up
thanks
=G=
From: Jakub Hrozek
Sent: Friday, January 27, 2017 4:30 AM
To: sssd-users@lists.fedorahosted.org
Subject: [SSSD-users] Re: sssd error message help
On Thu, Jan 26, 2017 at 09:32:04PM +0000, Galen Johnson wrote:
> Hey,
>
>
> I'm getting this message pre
Hey,
I'm getting this message pretty often...
(Thu Jan 26 21:23:03 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data
Provider returned an error
[org.freedesktop.sssd.Error.DataProvider.NotSupported]
I get it in pam and nss services...could someone suggest which log level I
should ena
ork everyone has done to get here. My life
got immensely less complicated with sssd (over LDAP+Kerberos+Samba).
=G=
From: Sumit Bose
Sent: Wednesday, January 18, 2017 5:10 AM
To: sssd-users@lists.fedorahosted.org
Subject: [SSSD-users] Re: email logins
On T
was ported to the 1.14.0 release that went out with 7.3.
=G=
____
From: Galen Johnson
Sent: Tuesday, January 17, 2017 5:06 PM
To: sssd-users@lists.fedorahosted.org
Subject: email logins
Hello,
Many moons ago, I had asked about the ability to allow users to log in w
Hello,
Many moons ago, I had asked about the ability to allow users to log in with
email addresses. It seems my wish was granted with a recent upgrade of sssd
(when we updated to RHEL/Cent 7.3?). I don't wish to look a gift horse in the
mouth but it is causing some weirdness with some of our
I would strongly discourage the use of all numeric usernames. They will only
cause you grief in the long term especially when uids and user names overlap.
For example, to expand on Sumit's comment,
# id 12345
# getent passwd 12345
Is this the user 12345 or the uid 12345? I would encourage yo
I want to be sure I understand this as well...
So, when you have ldap_group_search_base defined, using simple will look for
any group name that
is defined where the groupname would be (essentially) cn=groupname within the
entire ldap_group_search_base definition? For example, if you had the fol
53 matches
Mail list logo
