[SSSD-users] Re: Multiple GPOs and order processing issue

a > group of linux machines and used security filtering, it messed up other > polices applying. I can't remember the specifics now though. > > Todd > > -Original Message- > From: Max DiOrio > Sent: Thursday, June 21, 2018 9:29 AM > To: End-user discussions

[SSSD-users] Re: Multiple GPOs and order processing issue

om the GPO from above level and then add a user to the list, > but if the "Deny log on locally" > does not change in the new GPO than you do not need to copy it from the above > GPO). So the GPOs are "sort of" > cumulative. > > But I agree that copying te whole G

[SSSD-users] Re: Multiple GPOs and order processing issue

a single group policy per server, which seems awful. > On May 29, 2018, at 12:18 PM, Max DiOrio wrote: > > Attached are the logs. It seems that even after removing the GPO’s, it is > still being blocked from logging in. > > From secure. > > May 29 12:17:24 la-1potp

[SSSD-users] Re: Multiple GPOs and order processing issue

ns: > - if you remove the single computer policy, does the "generic" policy > apply as expected to the affected computer in question? > > Michal > > On 05/25/2018 08:58 PM, Max DiOrio wrote: >> Hi! >> So it seems that I’m having an issue with GPO processin

[SSSD-users] Multiple GPOs and order processing issue

Hi! So it seems that I’m having an issue with GPO processing. I have an OU (Servers/Infrastructure) that contains a few servers. In this OU, I have a few GPO’s applied. Once is “generic” that should applied to every server in this OU - which allows Remote Interactive Login and Logon Locally

[SSSD-users] Re: status of sssd bug 1432982

If you read the entire bug report, the issue was incorrect security settings on the user account, not being able to read the right info from AD. This wasn’t a bug in SSSD. Maybe you’re not seeing the same symptoms? > On May 18, 2018, at 11:19 AM, Spike White wrote:

[SSSD-users] Re: Strangeness with groups returned using id user

oved > from the 1.15 to 1.16 COPR repos and haven't had a problem for a while. > > https://copr.fedorainfracloud.org/coprs/g/sssd/sssd-1-15/ > https://copr.fedorainfracloud.org/coprs/g/sssd/sssd-1-16/ > > Cheers > L. > > > > > >> On 05/04/2018 09:12 AM, Max DiOrio wro

[SSSD-users] Re: Strangeness with groups returned using id user

Any thoughts? This issue seems to be rippling through all our AD Domain Joined servers. The group randomly goes missing and nobody can log into the server. After some time, it eventually starts working again. > On Apr 24, 2018, at 9:08 AM, Max DiOrio <mdio...@gmail.com> wrote: &

[SSSD-users] Re: Missing keytab == no login ?

again. Is there some other cache that needs to be cleared that doesn’t get populated often? > On Apr 24, 2018, at 9:35 AM, Max DiOrio <mdio...@gmail.com> wrote: > > I did upgrade to 1.16.0 on one server, restarted the service, invalidated the > sssd cache (sss_cache

[SSSD-users] Re: Missing keytab == no login ?

I did upgrade to 1.16.0 on one server, restarted the service, invalidated the sssd cache (sss_cache -E) and did an 'id username | grep tech' and the group is still missing altogether. I thought it might be a token size issue, but it shouldn’t be, unless sssd doesn’t come close to handling the

[SSSD-users] Re: Strangeness with groups returned using id user

We’re running SSSD 1.15.2 > On Apr 23, 2018, at 6:29 PM, Lachlan Musicman <data...@gmail.com> wrote: > > On 24 April 2018 at 03:01, Max DiOrio <mdio...@gmail.com > <mailto:mdio...@gmail.com>> wrote: > So we are having issues with a couple servers where users

[SSSD-users] Re: Strangeness with groups returned using id user

. And nothing I do necessarily fixes it per se. On Mon, Apr 23, 2018, 6:29 PM Lachlan Musicman <data...@gmail.com> wrote: > On 24 April 2018 at 03:01, Max DiOrio <mdio...@gmail.com> wrote: > >> So we are having issues with a couple servers where users suddenly won't >&g

[SSSD-users] Strangeness with groups returned using id user

So we are having issues with a couple servers where users suddenly won't be able to log in. All our auth is done through AD and not a thing has changed. On a working server, I can do 'id username' and get back the proper list of groups the user is a member of. On the non-working server, 'id

[SSSD-users] Re: AD sudo rules have no values for attributes?

> On Apr 5, 2018, at 3:22 PM, Jakub Hrozek <jhro...@redhat.com> wrote: > > > >> On 5 Apr 2018, at 19:56, Max DiOrio <mdio...@gmail.com> wrote: >> >> I’m guessing someone was thinking that the group lookup was case sensitive >> and entered it

[SSSD-users] Re: AD sudo rules have no values for attributes?

I fixed it. Here’s more from the sssd_domain log. A single line revealed the issue. When storing the DevTest rule it said a value is provided more than once. When I looked at the entry in AD, the attribute sudoUser had the same group entered twice. Once as %GS-Technology, once as

[SSSD-users] AD sudo rules have no values for attributes?

I've got a few dozen servers using SSSD to authenticate and retrieve SUDO rules stored in AD and GPO. Everything works perfectly except for a new RHEL 6.8 server I brought up. sssd version 1.13.3 on both the working 6.8 and non-working 6.8 server. I literally copied the nsswitch, sssd.conf and

[SSSD-users] Re: SSSD strangeness

Regarding your group issue, do you or have you had trusted domains and the mystery group is from another domain? Long shot, it we had the same error when it was trying to resolve the foreign group memberships. On Wed, Mar 14, 2018, 11:19 AM wrote: > Hi All > > We've got

[SSSD-users] Re: nsupdate

Is your dns server set to secure updates only? On Tue, Mar 13, 2018, 5:40 AM Roger Martensson wrote: > After som serious digging I caved in and upgraded dnsutils on my Ubuntu. > Seems that the future Ubuntu 18.04 has a non-working install of nsupdate. > When

[SSSD-users] Re: autofs in a AD-forest

Is there a doc out there for setting up autofs and ad? Our devs would appreciate this, but they want to automount a CIFS volume. On Fri, Mar 2, 2018, 10:01 AM Roger Martensson wrote: > Thanks for your answer. Then it was as i expected. > > Will use the workaround to

[SSSD-users] Re: Passwordless SUDO commands in AD

We're using 1.15.2 of sssd. Thanks! Max On Tue, Dec 19, 2017 at 5:16 AM, Jakub Hrozek <jhro...@redhat.com> wrote: > On Mon, Dec 18, 2017 at 11:11:25PM +0000, Max DiOrio wrote: > > Hey guys? Any thoughts on this? It's impacting our production > environment. > > > &g

[SSSD-users] Re: Passwordless SUDO commands in AD

Hey guys? Any thoughts on this? It's impacting our production environment. Thanks! On Mon, Dec 11, 2017, 11:11 AM Max DiOrio <mdio...@gmail.com> wrote: > Hi Pavel, > > We're using 1.15.2 of sssd. Attached are the dubug logs. > > Hopefully they show something useful. > &

[SSSD-users] Passwordless SUDO commands in AD

Hi, We use Active Directory to manage our Linux access including SUDO permissions. We need to have a particular account run a passwordless command. I created a new sudoRule in AD, added the following: sudoCommand /bin/systemctl restart wildfly.service sudoHost +DevTestLinuxServer

[SSSD-users] Re: GPO Access Control Failing

after I joined to the domain and the gpo_cache was empty until this morning. On Fri, Feb 24, 2017 at 6:49 AM, Michal Židek <mzi...@redhat.com> wrote: > > > On 02/24/2017 12:44 PM, Lukas Slebodnik wrote: > >> On (23/02/17 14:23), Max DiOrio wrote: >> >>> S