You have to join AD in order to perform authorization tasks, bcs otherwise sssd
has no way how to communicate with AD.
If you only want to use AD to authenticate local users, then no join is indeed
necessary, but then there is no need for sssd, just need to configure Kerberos.
-Original Mess
Hmm,
The solution with ldap_uri=ldaps:// is bit ugly and personally I wonder
that it works (unless you used public CA to sign AD connections which is, I'd
say, quite rare to see) because normally to do that you need to import AD certs.
I guess sssd developers could shed some light into it as
did you try refreshing the machine password in AD?Looks like it's too old.
O.
From: David David
Sent: Thursday, February 6, 2020 12:09 PM
To: sssd-users@lists.fedorahosted.org
Subject: [SSSD-users] sssd 1.16.4. ADV190023.
Hello,
i guess that you probably heard ab
what about 'getent -s sss passwd '?
From: Eugene Vilensky
Sent: Wednesday, October 23, 2019 4:29 PM
To: sssd-users@lists.fedorahosted.org
Subject: [SSSD-users] sssctl in RHEL6?
Greetings,
Will sssctl ever be packaged for RHEL6?
Or alternatively, what might be t
Hi List,
I just noticed that sssd is unable to detect any groups user belongs to after I
set
Subdomains_provider = none
In my sssd.conf
Using AD provider, using token groups, not using fully qualified names.
Is this an expected behavior?
Note I switched subdomain_provider off as otherwise sssd ke
Hi List,
I have noticed that in my case both
getent passwd @ and getent passwd
works, but
getent group @
does not, only:
getent group
works.
Is that expected behavior?
Thanks,
Ondrej
___
sssd-users mailing list -- sssd-users@lists.fedorahost
Hi list.
When I run
# sssctl user-checks
The command will, under the "SSSD InfoPipe user lookup result" section:
- Print some information no matter if I enable InfoPipe in the
configuration or not
- When I enable [ifp] and add an extra attributes, such as
"user_attributes =
a bit polishing...
Ondrej
-Original Message-
From: Ondrej Valousek [mailto:ondrej.valou...@s3group.com]
Sent: Tuesday, October 09, 2018 10:56 AM
To: End-user discussions about the System Security Services Daemon
Subject: [SSSD-users] Re: sssd fails to start when I enable [ifp]
The
, October 09, 2018 10:29 AM
To: End-user discussions about the System Security Services Daemon
Cc: Pavel Březina
Subject: [SSSD-users] Re: sssd fails to start when I enable [ifp]
Interesting..Pavel, do you have some idea?
> On 9 Oct 2018, at 10:27, Ondrej Valousek wrote:
>
> Ok, obviou
Ok, obviously this error message does not appear when using SystemD, therefore
I try to start it as root interactively, i.e.
# /usr/sbin/sssd -i
-Original Message-
From: Ondrej Valousek [mailto:ondrej.valou...@s3group.com]
Sent: Tuesday, October 09, 2018 10:25 AM
To: End-user
nable [ifp]
Do you run sssd as root or the unprivileged sssd user?
> On 8 Oct 2018, at 15:29, Ondrej Valousek wrote:
>
> Hi List,
> Seems like sssd fails to start when I enable infopipe (i.e. add “ifp” to the
> services list).
> Log says:
> (Mon Oct 8 14:18:08 2018) [s
Hi List,
Seems like sssd fails to start when I enable infopipe (i.e. add "ifp" to the
services list).
Log says:
(Mon Oct 8 14:18:08 2018) [sssd[ifp]] [sysbus_init] (0x0020): Unable to
request name on the system bus: [Connection ":1.33273" is not allowed to own
the service "org.freedesktop.sssd.
The server my Apache is running on is joined to domain and running sssd.
The point is, that I need to authorize users based on a groups they are member
of.
I do not think mod_authz_pam is capable of doing that.
Mod_authz_unixgroup is doing what I need, but that's not in RH repo.
That's why I th
Hi list,
I would like to use something like mod_authz_unixgroups or mod_lookup_identity
to allow users to browse certain location based on their group membership.
I know that mod_authz_unixgroup would do exactly what I need via the "require
unix-group" parameter, but unfortunately that module do
Hi list,
I have noticed that there is a slight difference in host principals when
joining to AD using "net" command or via "adcli/realm".
All commands generates the short version (i.e. as per "hostname -s") in capital
letters in AD, but in local kerberos keytab, the "net" command generates all
I would recommend your security department to instead of focusing on Linux/SSSD
to take a look at Windows/lsass - Windows is caching user credentials as well
and it's not a problem for them?
O.
-Original Message-
From: q8ztv...@posteo.de [mailto:q8ztv...@posteo.de]
Sent: Thursday, Augus
t 07, 2018 1:13 PM
To: sssd-users@lists.fedorahosted.org
Subject: [SSSD-users] Re: sssd connecting to two AD domains
On Mon, Aug 06, 2018 at 08:34:04AM +0000, Ondrej Valousek wrote:
> Also, yes, setting ldap_sasl_authid does help, but it's bit awkward as right
> now I am using gene
Also, yes, setting ldap_sasl_authid does help, but it's bit awkward as right
now I am using general sssd.conf for all machines.
Having to include ldap_sasl_authid parameter means the configuration file is
different for every machine :-(
Ondrej
-Original Message-
From: Ondrej Val
must be a bug in the principal selection logic.
> On 30 Jul 2018, at 11:25, Ondrej Valousek wrote:
>
> Ok, I see that it’s probably not supported:
> https://pagure.io/SSSD/sssd/issue/2078
> right?
> Ondrej
>
> From: Ondrej Valousek [mailto:ondrej.valou...@s3group.com]
Ok, I see that it’s probably not supported:
https://pagure.io/SSSD/sssd/issue/2078
right?
Ondrej
From: Ondrej Valousek [mailto:ondrej.valou...@s3group.com]
Sent: Monday, July 30, 2018 10:45 AM
To: End-user discussions about the System Security Services Daemon
Subject: [SSSD-users] sssd
Hi all,
I have a machine joined to AD domain "mydomain.com" and there is also domain
"mydomain2.com". The two are connected with full two way trust.
SSSD can happily recognize users from "mydomain.com", but fails with users from
"mydomain2.com" - sssd complains that:
(Mon Jul 30 08:26:38 2018)
; - not even need to have the 'netbios name' defined.
Many thanks to Sumit for the help provided!
Ondrej
-Original Message-
From: Ondrej Valousek [mailto:ondrej.valou...@s3group.com]
Sent: Tuesday, July 10, 2018 9:40 AM
To: End-user discussions about the System Security Service
riginal Message-
From: James Ralston [mailto:rals...@pobox.com]
Sent: Monday, July 09, 2018 5:34 PM
To: End-user discussions about the System Security Services Daemon
Subject: [SSSD-users] Re: recreate machine keytab file
On Mon, Jul 9, 2018 at 8:19 AM Ondrej Valousek
wrote:
> Is there
on, Jul 09, 2018 at 02:20:31PM +0000, Ondrej Valousek wrote:
> Thanks,
> "net ads keytab create" does work, but it populates my keytab with all
> accounts (user and computer) that can be found in AD - i.e. pretty dangerous.
> I would like to add it some parameter to only will
te machine keytab file
On Mon, Jul 09, 2018 at 12:19:09PM +0000, Ondrej Valousek wrote:
> Hi List,
>
> Is there any way how can we recreate system keytab file of a machine joined
> to AD if the file has been broken/deleted?
> I want to avoid doing join again as this would probably delet
Hi List,
Is there any way how can we recreate system keytab file of a machine joined to
AD if the file has been broken/deleted?
I want to avoid doing join again as this would probably delete the existing
account (with all attributes we have set).
Thanks,
Ondrej
-
The information contained
Yes, those people were right. You need either winbind or sssd as both do
essentially the same thing.
But if I were you, I would rip out winbind and replace it by sssd.
Ondrej
From: Edouard Guigné [egui...@pasteur-cayenne.fr]
Sent: Friday, May 04, 2018 6:07
at 02:43:11PM +0000, Ondrej Valousek wrote:
> Hi all,
>
> I see there is a new client API available for sssd 1.16. Is it possible to
> integrate it somehow with Apache/php?
> I.e. example: I authenticate user via mod_auth_gssapi obtaining username (and
> possibly TGT) so I need
Hi all,
I see there is a new client API available for sssd 1.16. Is it possible to
integrate it somehow with Apache/php?
I.e. example: I authenticate user via mod_auth_gssapi obtaining username (and
possibly TGT) so I need to lookup user's email address, say
Ondrej
-
The information c
in the same
auto.home-hierachy in the domain the client is joined to.
2018-03-02 14:54 GMT+01:00 Ondrej Valousek
mailto:ondrej.valou...@s3group.com>>:
Hi.
What you are asking for can’t work as automounter:
1. Has no idea from which domain the mount request coming from (it only
Hi.
What you are asking for can’t work as automounter:
1. Has no idea from which domain the mount request coming from (it only
sees – hey, mount /a/b for me)
2. Can be used for other mounts, not just user home areas so it does not
make much sense here either
Ondrej
From: Roger Mar
Hi List,
Question, we have joined machine into AD domain B. This domain has one way
trust to domain A. No direct connection from domain B network to DCs in domain
A is possible.
Can we use SSSD to authenticate members in domain A.
In windows, this works - but can't get it working in Linux via SS
Out of interest:
What is the difference between KCM and the gssproxy service?
Thanks,
Ondrej
>-Original Message-
>From: Jakub Hrozek [mailto:jhro...@redhat.com]
>Sent: Tuesday, July 25, 2017 1:11 PM
>To: sssd-de...@lists.fedorahosted.org; sssd-users@lists.fedorahosted.org;
>freeipa-us...@
I think autofs reads all maps upon a start and then, based on the timeout
variable, updates entries in the indirect maps.
Master map is read only once, upon autofs start - so I guess you might be in
trouble if you are only using direct maps.
Ondrej
>-Original Message-
>From: Jakub Hrozek
at 23:23, Ondrej Valousek
mailto:ondrej.valou...@s3group.com>> wrote:
Thanks,
We talk about a single nesting level so it is likely a bug.
The true is that 'id -a' always shows a correct information so this is more
like a nuisance rather than a bug affecting production.
Also sss
n, Jun 12, 2017 at 12:20:24PM +, Ondrej Valousek wrote:
>> Hi,
>>
>> For some users I experience inconsistent group membership, i.e. "getent
>group G" does not list user U as a member, but "id -a U" command shows the
>group G.
>> Is that normal o
Hi,
For some users I experience inconsistent group membership, i.e. "getent group
G" does not list user U as a member, but "id -a U" command shows the group G.
Is that normal or a known issue?
Thanks,
Ondrej
-
The information contained in this e-mail and in any attachments is confidential
t: Friday, May 05, 2017 2:15 PM
>To: sssd-users@lists.fedorahosted.org
>Subject: [SSSD-users] Re: SSSD & POSIX attrs in GC
>
>On Fri, May 05, 2017 at 11:02:44AM +, Ondrej Valousek wrote:
>> Hi all,
>>
>> Simple question:
>> In case we not use ldap_id_map
Hi all,
Simple question:
In case we not use ldap_id_mapping, does SSSD require posix attrs in GC or not?
Thanks,
Ondrej
-
The information contained in this e-mail and in any attachments is confidential
and is designated solely for the attention of the intended recipient(s). If you
are not
> Sent: Friday, March 17, 2017 10:57 AM
> To: End-user discussions about the System Security Services Daemon us...@lists.fedorahosted.org>
> Subject: [SSSD-users] Re: Bug #3131 in the sssd-1.14?
>
> On (15/03/17 21:44), Jakub Hrozek wrote:
> >On Mon, Mar 13, 2017 at 08:33:32A
Hi, which version from the 1.14 line contains a fix for bug #1313 (fixed in
1.13.5)?
I am running 1.14.0-43 from CentOS-7 and it seems to suffer from the same
problem.
Thanks,
Ondrej
-
The information contained in this e-mail and in any attachments is confidential
and is designated solely
Related note:
Anyone knows if Samba honors NFSv4-style ACLs?
We have a Netapp here which appears to be only NFSv4 server in the world having
fully fledged ACLs functionality - unfortunately it can not translate NFSv4
acls to Windows ACLs despite their similarity.
I was hoping Samba could possibly
". If we configure SSSD to use Active Directory for the Auth Provider, then we
will end up with the All-number Usernames on Linux."
This is not true. It is completely fine if Unix username != Kerberos principal.
O.
-Original Message-
From: Ali, Saqib [mailto:docbook@gmail.com]
Sent:
You can't do this with automounter.
What you could do is:
a) use symlinks (say /s/prods/work -> /s/prods_work)
b) use NFSv4 referrals
-Original Message-
From: johnlehar...@hotmail.com [mailto:johnlehar...@hotmail.com]
Sent: Monday, December 05, 2016 8:42 PM
To: sssd-users@lists.fedorahost
Run ,automount -m' see if it show what it is supposed to show.
Looks like some error after ':' in your map.
O.
From: john lehardos [mailto:johnlehar...@hotmail.com]
Sent: Monday, December 05, 2016 1:12 PM
To: sssd-users@lists.fedorahosted.org
Subject: [SSSD-users] autofs bogus option
Hello,
I am
Just use mod_auth_kerb or (better) mod_auth_gssapi
In terms of authentication, SSSD is not really needed here...
-Original Message-
From: Aleksey Maksimov [mailto:aleksey.maksi...@it-kb.ru]
Sent: Thursday, October 20, 2016 1:14 PM
To: sssd-users@lists.fedorahosted.org
Subject: [SSSD-users
[mailto:jhro...@redhat.com]
Sent: Friday, October 07, 2016 10:35 AM
To: sssd-users@lists.fedorahosted.org
Subject: [SSSD-users] Re: Problem with automounter
On Fri, Oct 07, 2016 at 07:28:43AM +, Ondrej Valousek wrote:
> This is a known bug - in my support case I am referring to something else.
Corr
, 2016 at 07:02:10PM +0200, Jakub Hrozek wrote:
> On Thu, Oct 06, 2016 at 03:42:50PM +0000, Ondrej Valousek wrote:
> > Well, I asked to first find out if you guys are aware of this or not -
> > that's all.
> > Support case #01716760 opened.
>
> Thanks, I normally read t
s] Re: Problem with automounter
On Thu, Oct 06, 2016 at 12:51:57PM +0000, Ondrej Valousek wrote:
> Hi List,
>
> Problem - when I reboot my machine, sssd won't pick up autofs maps at the
> very beginning and can't even serve maps from the case - fine, that's a known
&
Hi List,
Problem - when I reboot my machine, sssd won't pick up autofs maps at the very
beginning and can't even serve maps from the case - fine, that's a known
problem that will be dealt with.
Now the second problem - I would expect that if I leave the machine running for
some time, automount
) [sssd[be[default]]] [sdap_get_users_done]
> (0x0040): Failed to retrieve users (Thu Sep 22 13:35:41 2016)
> [sssd[be[default]]] [sdap_id_op_done] (0x4000): releasing operation
> connection
>
> -Original Message-----
> From: Jakub Hrozek [mailto:jhro...@redhat.com]
> Sen
Here is the example (full log):
(Thu Sep 22 13:35:41 2016) [sssd[be[default]]] [sdap_search_user_next_base]
(0x0400): Searching for users with base [DC=mydomain,DC=com]
(Thu Sep 22 13:35:41 2016) [sssd[be[default]]] [sdap_print_server] (0x2000):
Searching 192.168.128.4
(Thu Sep 22 13:35:41 20
Message-
From: Jakub Hrozek [mailto:jhro...@redhat.com]
Sent: Thursday, September 22, 2016 10:07 PM
To: sssd-users@lists.fedorahosted.org
Subject: [SSSD-users] Re: Ldap referrals
On Thu, Sep 22, 2016 at 03:03:36PM +0000, Ondrej Valousek wrote:
> Hi list,
>
> Is it safe to enable
Hi list,
Is it safe to enable ldap referrals in sssd 13.3?
I have them disabled (ldap_referrals=false) but it seems to me that it is
occasionally causing sssd to unable to find users in AD.
Thanks,
Ondrej
-
The information contained in this e-mail and in any attachments is confidential
an
, Sep 15, 2016 at 12:02:00PM +, Ondrej Valousek wrote:
> Not likely as this is RHEL-6 machine where network service is starting
> before SSSD Looks like a bug in the network init scripts.
>
> -Original Message-
> From: Jakub Hrozek [mailto:jhro...@redhat.com]
&
: [SSSD-users] Re: Network coming up slowly causing sssd to fail on
startup
On Thu, Sep 15, 2016 at 09:28:54AM +, Ondrej Valousek wrote:
> Update:
> The server is connected via bonding interface.
> I guess that could be the problem.
> Ondrej
>
Sounds like a fix for https://fedora
Update:
The server is connected via bonding interface.
I guess that could be the problem.
Ondrej
From: Ondrej Valousek
Sent: Thursday, September 15, 2016 11:22 AM
To: sssd-users@lists.fedorahosted.org
Subject: Network coming up slowly causing sssd to fail on startup
Hi List,
Just experiencing
Hi List,
Just experiencing troubles when starting machine.
The thing is that by the time sssd starts, network is not quite ready -
sometimes Cisco switches take up to few seconds to negotiate speed, etc ->
network sysinit script already finishes (could happen if you have static IP,
right?), sss
The config you have does not make any sense, really.
Obviously you have id_mapping turned on - in this case SSSD ignores any RFC2307
attributes in AD - including loginshell.
If you want SSSD to honour RFC2307 attrs in AD, you need to turn
ldap_id_mapping off.
Ondrej
-Original Message-
Fr
Hi list,
Are there any known problems with memory leaks in sssd-1.13.3-22.el6_8.4?
Possibly only relevant when service enumeration enabled.
Thanks,
Ondrej
-
The information contained in this e-mail and in any attachments is confidential
and is designated solely for the attention of the in
Looks like adcli was unable to detect your site - you found a bug in adcli.
O.
-Original Message-
From: Joakim Tjernlund [mailto:joakim.tjernl...@infinera.com]
Sent: Monday, August 29, 2016 8:44 AM
To: sssd-users@lists.fedorahosted.org
Subject: [SSSD-users] Joining AD with adcli, strange
Note that AD is not 100% RFC2307 compatible, so by default it uses
‚UnixhomeDirectory‘ attribute because traditional ‚HomeDirectory‘ is being used
by Windows.
You have to tell SSSD to use ‚HomeDirectory‘ explicitely.
O.
From: Matthew W Hanley [mailto:mwhan...@syr.edu]
Sent: Sunday, August 28, 20
If you are using Netapp, then it is pointless to use CIFS as Netapp can speak
NFS, too.
Usage of Idmapper depends on NFS version you use, NFSv3 does not require
Idmapper but since you talk about Kerberos, you most likely use NFSv4 which
does.
O.
-Original Message-
From: John Hodrien [m
Maybe a little bit OT question here:
SPN vs UPN only exists in Microsoft KDC implementation right?
i.e. if I deploy IPA domain, there is still no difference between these 2 (as
IPA is using MIT KDC) right?
Thanks,
Ondrej
-Original Message-
From: Sumit Bose [mailto:sb...@redhat.com]
S
@lists.fedorahosted.org
Subject: [SSSD-users] Re: DDNS not working due to non FQDN hostname
On Mon, 2016-08-22 at 10:23 +0200, Jakub Hrozek wrote:
> On Mon, Aug 22, 2016 at 08:16:36AM +0000, Ondrej Valousek wrote:
> >
> > Ok, so you Jakub say that /etc/hostname should rather contain FQDN
System Security Services Daemon
Subject: [SSSD-users] Re: DDNS not working due to non FQDN hostname
On Mon, Aug 22, 2016 at 08:16:36AM +, Ondrej Valousek wrote:
> Ok, so you Jakub say that /etc/hostname should rather contain FQDN right?
No, I'm saying that gethostname()/hostname should
Ok, so you Jakub say that /etc/hostname should rather contain FQDN right?
I was not sure what RedHat says in terms of "best practices" here.
But I agree the from the admin prospective, we ideally need to have the same
configuration in sssd.conf being shared by all hosts.
Ondrej
-Original Mes
st 2016 15:35
To: sssd-users@lists.fedorahosted.org
Subject: [SSSD-users] Re: Mounting NFS over cross domains
On Wed, 2016-08-17 at 14:33 +0000, Ondrej Valousek wrote:
> How did you configure ID mapper?
Om both server and client I only have
Local-Realms = TRANSMODE.SE,INFINERA.COM
>
How did you configure ID mapper?
-Original Message-
From: Joakim Tjernlund [mailto:joakim.tjernl...@infinera.com]
Sent: 17 August 2016 15:31
To: sssd-users@lists.fedorahosted.org
Subject: [SSSD-users] Mounting NFS over cross domains
Feels like I am very close to having integrated our two
This is a response I got from RH support team:
"Hello,
I checked the available logs and it looks like you are hitting to same issue
mentioned in BZ # 1332309
The issue is still being investigated by our Engineering Team and I will update
you once I hear any update from them.Hence I am keeping t
broken in sssd?
On Thu, Aug 11, 2016 at 12:21:43PM +, Ondrej Valousek wrote:
> There is output of the log file (debug 0x1FF):
> ...
> (Wed Aug 10 02:22:24 2016) [sssd[be[default]]] [resolve_srv_done] (0x0400):
> SRV lookup did not return any new server.
> (Wed Aug 10 02:22:24
ed (5)
TCPdump shows (this time) that query has been sent to DNS servers and response
followed in no time. So there is deffinitely no problem with DNS here.
Ondrej
-Original Message-
From: Lukas Slebodnik [mailto:lsleb...@redhat.com]
Sent: Thursday, August 11, 2016 10:12 AM
To: End-user disc
Hi list,
I am regularly getting messages like:
(Mon Aug 8 21:20:19 2016) [sssd[be[default]]] [be_resolve_server_process]
(0x0080): Couldn't resolve server (myserver.com), resolver returned (5)
Or
(Wed Aug 10 15:47:46 2016) [sssd[be[default]]] [nsupdate_get_addrs_done]
(0x0040): Could not resol
09:25 AM, Ondrej Valousek wrote:
> Affected user was root actually :-/
>
If that's the case, the problem can't be an SSSD problem, because we don't
handle the root account...
-
The information contained in this e-mail and in any attachments is confidential
and is
Affected user was root actually :-/
-Original Message-
From: Stephen Gallagher [mailto:sgall...@redhat.com]
Sent: Wednesday, July 27, 2016 3:22 PM
To: sssd-users@lists.fedorahosted.org
Subject: [SSSD-users] Re: keyring: disk quota exceeded
On 07/27/2016 08:42 AM, Ondrej Valousek wrote
It has Gnome installed, but none is using it.
I do not know what triggers it unfortunately. I just upgraded the kernel and
rebooted the machine hoping it won't come back.
I doubt Online Accounts might have caused that.
How do I found out which keyring is causing troubles?
Tried 'keyctl show' but
Hi List,
Or RH-7 box I am getting message like this:
[root@spartacus bin]# kinit
kinit: Disk quota exceeded while getting default ccache
Google gave this: https://bugzilla.redhat.com/show_bug.cgi?id=1017683
Which suggests big keys needs to be enabled for kernel and suggests kernel 3.11
However,
Try "net ads keytab add afs" - but it's probably not going to work without
admin privileges in AD.
O.
-Original Message-
From: Maciej Piechotka [mailto:uzytkown...@gmail.com]
Sent: Wednesday, July 20, 2016 9:30 PM
To: sssd-users@lists.fedorahosted.org
Subject: [SSSD-users] Adding service
#3089 opened.
O.
-Original Message-
From: Jakub Hrozek [mailto:jhro...@redhat.com]
Sent: Friday, July 08, 2016 1:46 PM
To: sssd-users@lists.fedorahosted.org
Subject: [SSSD-users] Re: sssd 1.13.3 - Failed to retreive users
On Fri, Jul 08, 2016 at 11:44:31AM +, Ondrej Valousek wrote
: End-user discussions about the System Security Services Daemon
Subject: [SSSD-users] Re: sssd 1.13.3 - Failed to retreive users
On (08/07/16 10:02), Ondrej Valousek wrote:
>Please see more logs below. I am running the latest 1.13.3-22 so should not be
>affected.
>
>(Fri Jul 8 0
, 2016 11:50 AM
To: End-user discussions about the System Security Services Daemon
Subject: [SSSD-users] Re: sssd 1.13.3 - Failed to retreive users
On (08/07/16 09:22), Ondrej Valousek wrote:
>Hi List,
>
>After upgrade from 1.12 to 1.13.3. I see sporadically messages
Hi List,
After upgrade from 1.12 to 1.13.3. I see sporadically messages like these:
(Fri Jul 8 09:47:20 2016) [sssd[be[default]]] [acctinfo_callback] (0x0100):
Request processed. Returned 0,0,Success
(Fri Jul 8 09:47:20 2016) [sssd[be[default]]] [acctinfo_callback] (0x0100):
Request processed
Wow, sssctl - extremely handy tool I was longing for.
Will 1.14 find it's way into RH-6/7?
Thanks,
Ondrej
-Original Message-
From: Jakub Hrozek [mailto:jhro...@redhat.com]
Sent: Thursday, June 30, 2016 12:08 AM
To: sssd-de...@lists.fedorahosted.org; sssd-users@lists.fedorahosted.org;
fr
at 09:51:35AM +, Ondrej Valousek wrote:
> Did not have it installed - why isn't dependancy on it in sssd rpm
> package? It's only 100Kb package, no big deal :-) It is working now, thanks -
> will monitor FD leaks.
Since this is an option feature, it can be disabled in sssd
0:51 AM
To: sssd-users@lists.fedorahosted.org
Subject: [SSSD-users] Re: SSSD in RHEL 6.8
On Wed, May 25, 2016 at 10:47:25AM +0200, Lukas Slebodnik wrote:
> On (25/05/16 08:40), Ondrej Valousek wrote:
> >Ok, this is probably important:
> >(Wed May 25 10:12:
Ok, this is probably important:
(Wed May 25 10:12:58 2016) [sssd[be[default]]]
[ad_machine_account_password_renewal_send] (0x0020): Could not exec renewal
child: [2][No such file or directory].
Ondrej
-Original Message-
From: Ondrej Valousek [mailto:ondrej.valou...@s3group.com]
Sent
Tried debug_level=0x1FF.
Still the same error:
(Wed May 25 10:12:58 2016) [sssd[be[default]]] [be_ptask_done] (0x0040): Task
[AD machine account password renewal]: failed with [2]: No such file or
directory
...
(Wed May 25 10:13:58 2016) [sssd[be[default]]]
[ad_machine_account_password_renewal
Hi Team,
First of all, many thanks for sssd-13.3 which has finally found its way into
RH-6.8.
It seems to be first release I can use in my environment without having to use
any obscure hacks I hated from the very beginning.
Good work!
I also noticed that this version can (seems like) finally
Can you do "kinit -k LA35185$@PETERMAC.ORG.AU"
A good test if trust with AD works well - if not, sssd can not do much about
it...
O.
-Original Message-
From: jas.peter...@gmail.com [mailto:jas.peter...@gmail.com]
Sent: Monday, May 23, 2016 9:22 AM
To: sssd-users@lists.fedorahosted.org
S
: Wednesday, May 11, 2016 4:11 PM
To: End-user discussions about the System Security Services Daemon
Subject: [SSSD-users] Re: SSSD and docker
On Wed, May 11, 2016 at 02:03:49PM +, Ondrej Valousek wrote:
>
> Question: Can SSSD provide its services for containerized apps?
> Is there
Hi list,
Question: Can SSSD provide its services for containerized apps?
Is there any howto around?
Thanks,
Ondrej
-
The information contained in this e-mail and in any attachments is confidential
and is designated solely for the attention of the intended recipient(s). If you
are not an i
Finally:
[root@imachine ~]# getent -s sss group | grep ^hp
hp:*:149:
[root@machine ~]# getent -s sss group hp
[root@machine ~]# getent -s sss group | grep ^hp
[root@machine ~]#
(something wrong with formatting here, sorry)
-Original Message-
From: Ondrej Valousek [mailto:ondrej.valou
It should read:
[root@imachine ~]# getent -s sss group | grep ^hp
hp:*:149:
[root@machine ~]# getent -s sss group hp
[root@machine ~]# getent -s sss group | grep ^hp
[root@machine ~]#
Ondrej
-Original Message-
From: Ondrej Valousek [mailto:ondrej.valou...@s3group.com]
Sent: Friday
nt -s sss group | grep ^hp
[root@machine ~]#
Using sssd-1.12.4-47.el6.x86_64
Ondrej
-Original Message-----
From: Ondrej Valousek [mailto:ondrej.valou...@s3group.com]
Sent: Friday, April 29, 2016 10:43 AM
To: End-user discussions about the System Security Services Daemon
Subject: [SSSD-u
e?
Ondrej
-Original Message-
From: Pavel Březina [mailto:pbrez...@redhat.com]
Sent: Friday, April 29, 2016 10:36 AM
To: sssd-users@lists.fedorahosted.org
Subject: [SSSD-users] Re: cache question
On 04/29/2016 10:30 AM, Ondrej Valousek wrote:
> Hi List,
>
> [root@machine ~]# sss_cache -g
Hi List,
[root@machine ~]# sss_cache -g mpeg2
No cache object matched the specified search
[root@machine ~]# getent -s sss group mpeg2
mpeg2:*:139:
Is this normal behavior? I have deleted mpeg2 group recently...
Only after I do 'sss_cache -G' it goes away eventually
Thanks,
Ondrej
-
: sssd-users@lists.fedorahosted.org
Subject: [SSSD-users] Re: SSSD does not destroy kerberos cache on user logout
Can you sanitize and share sssd.conf?
Striker
On 04/15/2016 07:06 AM, Ondrej Valousek wrote:
> Does not work:
>
> [root@win-4bkps6vk3dp sssd]# loginctl list-sessions
>
), Ondrej Valousek wrote:
>Hi list,
>I just discovered that SSSD does not destroy user Kerberos cache credentials
>upon logout on Centos-7 (sssd vers 1.13).
>Is that known issue?
>
IIRC ticket should be destroyed together with session.
and session needn't be destroyed after log
Hi list,
I just discovered that SSSD does not destroy user Kerberos cache credentials
upon logout on Centos-7 (sssd vers 1.13).
Is that known issue?
Thanks,
Ondrej
-
The information contained in this e-mail and in any attachments is confidential
and is designated solely for the attention o
SSSD (unless you specify subdomain-provider=none) tries to reach forest DCs
upon its initialization to discover network sites/etc.
So if machines in child.ad.example.com can not contact controllers in
ad.example.com, my guess is it simply won't work as SSSD would not be able to
discover domain c
1 - 100 of 298 matches
Mail list logo