[SSSD-users] Re: id / getent not finding AD users

; (Tue Jun 25 16:17:21 2019) [sssd[be[MYDOMAIN.ca]]] [request_watch_destructor] > (0x0400): Deleting request watch > (Tue Jun 25 16:17:21 2019) [sssd[be[MYDOMAIN.ca]]] [sdap_id_op_connect_done] > (0x0020): Failed to connect, going offline (5 [Input/output error] > > > Thanks! &

[SSSD-users] Re: id / getent not finding AD users

On Thu, Jun 27, 2019 at 05:01:27PM +, Thomas Beaudry wrote: > Hi Jakub, > > So i tired > > >> Does it help to increase the dns_resolver_timeout from its default of 6 > seconds? Please see the note in man sssd-ad, there are several timeouts > that might need to be increased in unison, can you

[SSSD-users] Re: sssd sudo using Microsoft Active Directory

On Sun, Jun 30, 2019 at 09:31:17AM -, Bruno Monteiro wrote: > Hello, > > Below my configuration and errors :) > > (I've adapted some strings for the sake of example - domain is not real) > > cat /etc/sssd/sssd.conf > [sssd] > services = nss, pam,ssh, sudo > debug_level = 0x7FFF > domains = L

[SSSD-users] Re: sssd sudo using Microsoft Active Directory

On Mon, Jul 01, 2019 at 09:09:24AM -, B M wrote: > Hi Jakub, > > Thx for the suggestions! > > Here more logs: > > NOTE: Replaced - or from the original name. > > /var/log/sssd/sssd_sudo.log > > (Mon Jul 1 08:25:02 2019) [sssd[sudo]] [accept_fd_handler] (0x0400): Client > co

[SSSD-users] Re: Replicate digest mapping from pam_pkcs11

On Mon, Jul 15, 2019 at 02:49:19PM -, James Trater wrote: > Hello. > > Is it possible to replicate the digest mapping feature of pam_pkcs11 > in sssd? We have built our infrastructure around the notion of mapping > users to certificates based on the certificate digest. With the removal > of pa

[SSSD-users] Re: sssd_be core dumping when ‘realm permit’ command run under puppet control…

On Mon, Jul 15, 2019 at 12:50:03PM -0500, Spike White wrote: > All, > > This is a strange one. When we exec this command under puppet control: > > /usr/sbin/realm permit -R AMER.COMPANY.COM > processehcprofi...@amer.company.com > > Then sssd_be core dumps (segfault). Anytime sssd_be segfaults,

[SSSD-users] Re: Replicate digest mapping from pam_pkcs11

rhank you; comment added. so hopefully the case would turn into a bug report. (This still does not mean the digest matching would be implemented, but it's the best way I can think of to track a missing functionality..) On Mon, Jul 15, 2019 at 08:27:08PM -, James Trater wrote: > Thank you. I h

[SSSD-users] Re: sssd_be core dumping when ‘realm permit’ command run under puppet control…

On Tue, Jul 16, 2019 at 12:32:29PM -0500, Spike White wrote: > The following case has been opened with RHEL support on this. It was > opened this morning: > > (SEV 4) Case #02427449 ('realm permit group@DOMAIN' causing background > process sssd_be to segfault.) Thank you, comment added. I hope a

[SSSD-users] Re: Max hostname len in adcli or realm join to AD?

On Fri, Jul 19, 2019 at 11:43:37AM -0500, Spike White wrote: > All, > > In previous AD integration tools, the max host name length was customarily > 15 chars. Because of ancient NETBIOS restrictions (16 char restrictions > and netbios adds a '$' to the end of host name). > > That was like an AD

[SSSD-users] Re: [AD] User discovery/enumeration issue due to domain settings

On Fri, Jul 26, 2019 at 12:50:16PM +0200, Christian Lamparter wrote: > Hello Folks, > > I'm currently setting up sssd (Debian 1.16.3) on Debian Buster 10.0 > and I ran into a problem that I was able to trace down to the domain > permission/security settings that placed the users into a special OU

[SSSD-users] Re: [AD] User discovery/enumeration issue due to domain settings

On Tue, Jul 30, 2019 at 06:42:06PM +0200, Christian Lamparter wrote: > Hello again, > > On Fri, 2019-07-26 at 14:08 +0200, Jakub Hrozek wrote: > > On Fri, Jul 26, 2019 at 12:50:16PM +0200, Christian Lamparter wrote: > > > I'm currently setting up sssd (Debian

[SSSD-users] Re: socket activated services and "implicit" sssd.conf?

On Thu, Aug 01, 2019 at 07:50:09PM +0300, Timo Aaltonen wrote: > > Hi, > > As discussed on irc, the fallback config enables 'services=nss', and > check_socket_activated_responder() bails out if there's no conffile. > > So both should be fixed to allow sssd to start without extra noise when > soc

[SSSD-users] Re: override_gid not applying to trusted/parent AD domains when joined via child

On Thu, Aug 08, 2019 at 02:31:32PM -0400, Josh Snyder wrote: > On Thu, Aug 8, 2019 at 2:05 PM Sumit Bose wrote: > > > On Thu, Aug 08, 2019 at 01:25:08PM -0400, Josh Snyder wrote: > > > Hi All, > > > > > > I'm working in a proof of concept for a customer where I've been asked to > > > join the chi

[SSSD-users] Re: [AD] Filter out disabled users

On Sun, Jul 21, 2019 at 06:08:18PM +0200, Hinrikus Wolf wrote: > Hi, > > we are currently running a Samba AD DC Server with sssd on clients. Now > we want to run sssd also on our mail server with postfix + dovecot. > Postfix and dovecot get their users from NSS i.e. from sssd. > In our Domain ther

[SSSD-users] Re: Problem getting sssd to work with LDAP authentication

On Fri, Aug 09, 2019 at 08:33:43PM -, Jane Eason wrote: > Our LDAP does not include the POSIX schema, so we made a couple of entries in > sssd.conf to attempt to work around that. > > Here is our complete (slightly redacted) sssd.conf: > > [domain/mydomain] > id_provider = ldap > auth_provid

[SSSD-users] Re: Problem getting sssd to work with LDAP authentication

On Mon, Aug 12, 2019 at 07:21:15PM -, Jane Eason wrote: > We do not have the uid number in LDAP. > > In our LDAP uid is the username, so LDAP has e.g. uid=bob. There is a local > Linux user named "bob" as well (we are not creating accounts on login). > > We thought we could get around havi

[SSSD-users] Re: Group disappears from users / no group name gets resolved

On Thu, Aug 22, 2019 at 11:11:18AM -, Jamal Mahmoud wrote: > We've been experiencing an intermittent issue relating to SSSD v1.15.2, we > are running CentOS7.4 on our workstations. We use SSSD to communicate with > our Active Directory to pull users for auth. The majority of users have a > c

[SSSD-users] Re: Patch for sssd to fix recursion problems with Winbind (Samba Bug #13815)

On Fri, Aug 23, 2019 at 03:46:54PM +0200, Heiko Wundram wrote: > Hello list, > > for a deployment I'm administering, I'm using winbind and sssd in parallel, > both for different authentication sources (so it's not about their > interoperability, but rather about using them in parallel). It seems t

[SSSD-users] Re: another ubuntu 18 sssd issue: cron

On Mon, Aug 26, 2019 at 01:37:43PM +, Charles Hedrick wrote: > After converting a system to sssd with an IPA backend, we found that cron was > not recognizing our users. It appears (based on using lsof to see what .so > files are open) that cron is reading nsswitch.conf at startup, and doesn’

[SSSD-users] Re: Group disappears from users / no group name gets resolved

On Mon, Aug 26, 2019 at 04:25:38PM -, Jamal Mahmoud wrote: > Hi Jakub, > > I've managed to catch the error again with my own machine so this time i've > had time to properly capture the issue. I've been looking into the logs and > what seems to be happening is that we have multiple AD Domain

[SSSD-users] Re: another ubuntu 18 sssd issue: cron

la. But I completely trust the glibc developers that this is non-trivial. On Thu, Aug 29, 2019 at 01:43:07PM +, Charles Hedrick wrote: > Cute. I wondered why the problem didn’t happen on Centos. That explains it, > but wasn’t at all the explanation I was expecting. > > On Aug 26

[SSSD-users] Re: [AD] Filter out disabled users

On Wed, Sep 11, 2019 at 09:04:40PM +0200, Hinrikus Wolf wrote: > Hi, > > that's actually what we tried: > > > > [sssd] > > domains = fsmpi.rwth-aachen.de > > config_file_version = 2 > > services = nss, pam > > > > [pam] > > offline_credentials_expiration = 1 > > offline_failed_login_attempts

[SSSD-users] Re: Questions about the PAC responder

On Wed, Sep 18, 2019 at 06:25:31PM -0700, Jim Burwell wrote: > Hi, > > I recently encountered issues where logins on Linux clients using SSSD > and the AD provider, pointed directly to an AD server were randomly > slow.  Randomly meaning, some clients experienced no slowness at all, > other client

[SSSD-users] Re: sssd-krb5, krb5_ccachedir, DIR-cache-store...

On Sun, Sep 22, 2019 at 04:16:58PM -, Jostein Fossheim wrote: > We are working with several kerberos-REALMS and are trying to get our clients > to store their kerberos tickets in a DIRECTORY. This seems to work nicely for > clients not authenticating at login, with the following configuration

[SSSD-users] Re: Offline caching of group names and memberships?

On Wed, Sep 25, 2019 at 06:25:06PM -0500, Spike White wrote: > Yes, true statement. > > We also do not own AD -- only the Linux builds. The AD admins insist on > camel-case for group names and user names. > > Yes, AD and Windows are case-insensitive. But Linux and Kerberos are not. > > I know

[SSSD-users] Re: autofs with samba AD

On Tue, Sep 24, 2019 at 01:21:45PM +0200, w...@mailbox.org wrote: > Hello list, > I'm trying to setup sssd to access automounter rules stored on an AD (samba > 4.7.6). > I followed the instructions on this site, however it doesn't work for me. > https://ovalousek.wordpress.com/2015/08/03/autofs/

[SSSD-users] Re: autofs with samba AD

On Fri, Sep 27, 2019 at 09:34:42AM +0200, w...@mailbox.org wrote: > > > Jakub Hrozek hat am 26. September 2019 um 14:52 > > geschrieben: > > > > > > On Tue, Sep 24, 2019 at 01:21:45PM +0200, w...@mailbox.org wrote: > > > Hello list, > > > I

[SSSD-users] Re: autofs with samba AD

On Fri, Sep 27, 2019 at 01:05:17PM +0200, w...@mailbox.org wrote: > > > Jakub Hrozek hat am 27. September 2019 um 09:55 > > geschrieben: > > > > > > On Fri, Sep 27, 2019 at 09:34:42AM +0200, w...@mailbox.org wrote: > > > > > >

[SSSD-users] Re: sssd-session-recording

On Tue, Oct 22, 2019 at 12:51:27PM +, MAUPERTUIS, PHILIPPE wrote: > Hi list, > With Redhat 8 come tlogs for session recording. > It seems a promising tool to comply with PCI DSS requirement 10.2 which > requires Monitoring of all actions taken by any individual with root or > administrative p

[SSSD-users] Re: Any way to get sssd to ignore gidNumber (Posix attribute) when auto_private_group set to true?

On Tue, Nov 05, 2019 at 09:00:44PM -0600, Spike White wrote: > All, > > We're replacing a commercial product that ignores whatever GID is used in > gidNumber posix attribute, when auto_private_groups is set to true. > > However, we find in sssd that even when we set auto_private_groups = True, >

[SSSD-users] Re: Enumerate users from external group from AD trust

On Wed, Nov 13, 2019 at 10:35:46AM -0500, John Desantis wrote: > Hello all, > > Apologies for the necromancy here, but there seems to be conflicting > information regarding group enumeration within an IPA AD Trust, > specifically, these tidbits: > > > > >>> ad_users is an IPA group that conta

[SSSD-users] Re: Enumerate users from external group from AD trust

On Thu, Nov 14, 2019 at 10:10:20AM -0500, John Desantis wrote: > Jakub, > > > This is confusing because the enumerate word is overloaded :-) > > Ha! Agreed. > > > What is not supported and I guess won't be is "getent passwd" or "getent > > group" to get all objects from AD. > > I definitely ag

[SSSD-users] Re: Debian10 and self-signed cert

On Tue, Nov 19, 2019 at 09:38:55AM +0200, Todor Petkov wrote: > Hello, > > I am trying to configure sssd authentication on Debian 10.2, sssd > 1.16.3, against 389-ds with self-signed certificate. > > In /etc/sssd/sssd.conf I have the line "ldap_tls_reqcert = never" > line, but when I start sssd m

[SSSD-users] Re: Enumerate users from external group from AD trust

On Tue, Nov 26, 2019 at 01:03:39PM -0500, John Desantis wrote: > Jakub, > > > > Is the functionality in question only available for IPA masters? > > > > It shouldn't be and I'm seeing the users also on a client. I don't > > remember if there was ever a bug in the client portion, I guess > > lookin

[SSSD-users] Re: Pros/cons of access_provider=ad + access.conf file vs access_provider=simple?

On Wed, Dec 04, 2019 at 09:58:00AM -0600, Spike White wrote: > Sssd experts, > > We have an AD-based sssd configuration that is working. For RHEL6, 7 and 8. > > We've done thorough lab testing + pilot projects. All good (with certain > RHEL6 restrictions). > > Currently, we're using access_pro

[SSSD-users] Re: restrict sudo su -

On Fri, Jan 17, 2020 at 11:23:25AM +0100, Pavel Březina wrote: > On 1/17/20 8:40 AM, Jannis Mann wrote: > > Hi, > > I've implemented sssd with id, auth and access provider as ldap. So I am > > using a binding account and didn't joined the domain with the server. > > > > In general everything works

[SSSD-users] Re: ldap_access_filter ignored for some users

On Fri, May 15, 2020 at 05:07:30PM +, Sajesh Singh wrote: > CentOS 7.8 > SSSD 1.16.4 > > Having a strange issue where the ldap_access_filter seems to be applied to > some users and not others when they are both logging into the same > application that is using the underlying OS PAM configura

[SSSD-users] Re: ldap_access_filter ignored for some users

On Mon, May 18, 2020 at 01:29:49PM +, Sajesh Singh wrote: > Jakub, >Both of the logins were via a web application that uses the underlying PAM > subsystem on the server. Then you should look into the pam responder logs, too, because the back end logs show no PAM request. _

[SSSD-users] Re: ldap_access_filter ignored for some users

On Mon, May 18, 2020 at 03:53:15PM +, Sajesh Singh wrote: > If there were no PAM requests then what could be triggering SSSD to do the > lookup that I see in the logs? > > -Sajesh- Oh, sorry, you're right, there is pam_print_data also in the second snippet. What log level was this gathered w

[SSSD-users] Announcing SSSD 1.10.0 Beta 1

val with a delimiter * Confusing error messages for invalid sssd.conf Jakub Hrozek (38): * Updating the version for the 1.10 beta1 release * krb5 child: Use the correct type when processing OTP * pidfile(): Do not leak fd on error * Fix potential out-of-bounds write in sss_

Re: [SSSD-users] Announcing SSSD 1.10.0 Beta 1

On Sat, May 04, 2013 at 07:47:20AM +, Ondrej Valousek wrote: > Wow! Thanks for implementing features I was calling for few months ago! > It is really highly appreciated :) > This is very nice to hear. You can join the F19 test day this Thursday to experiment with the features: https://fedorap

[SSSD-users] Active Directory Integration test day invitation

The realmd and SSSD development teams are happy to invite you to a Fedora Test Day that will be held on Thursday, May 9th. We invite you to take part in testing of the new features that will become available in upcoming upstream releases of realmd and SSSD and would be a part of Fedora 19. The fea

Re: [SSSD-users] Active Directory Integration test day invitation

On Tue, May 07, 2013 at 11:17:15AM -0400, Harry Sutton wrote: > I notice the Test Day page > > still shows 'tbd' for the LiveCD (under 'Prerequisite...'), is there a > version we should use on Thursday? > >

Re: [SSSD-users] RHEL5, sssd and the Global Catalog

On Tue, May 07, 2013 at 02:35:00PM -0400, will_dar...@navyfederal.org wrote: >Have configured a couple of hundred hosts to use sssd w/ LDAP to connect >to the Global Catalog of a Windows 2008 Domain for identify and >authentication.  All of my RHEL6 servers appear to be fine, however >

Re: [SSSD-users] Ldap Help

On Wed, May 08, 2013 at 01:29:24PM -0400, Dmitri Pal wrote: > On 05/08/2013 12:57 PM, Brandon Foster wrote: > > On Wed, May 8, 2013 at 9:52 AM, Sumit Bose wrote: > >> On Wed, May 08, 2013 at 09:43:48AM -0700, Brandon Foster wrote: > >>> On Wed, May 8, 2013 at 9:26 AM, Wojtak, Greg (Superfly) > >>>

Re: [SSSD-users] Multiple ldap accounts for sudo and users in sssd.conf

On Thu, May 09, 2013 at 04:20:43PM +0100, michael gabriel wrote: > Hi there, > > We have two different ldap "accounts". One is used to get user account > information and the other is used get sudo information. > > Is there way to have two ldap_default_bind_dn's and ldap_default_authtok's > for ea

Re: [SSSD-users] RHEL5, sssd and the Global Catalog (Jakub Hrozek)

On Thu, May 09, 2013 at 09:39:07AM -0400, will_dar...@navyfederal.org wrote: >If this comes across as HTML sorry.. gotta find a better mail client for >mailing lists... :/ >I grabbed these logs right after attempting a su - espadmin, so that >should narrow down whats there.  I shoul

Re: [SSSD-users] RHEL5, sssd and the Global Catalog (Jakub Hrozek)

On Thu, May 09, 2013 at 03:06:30PM -0400, will_dar...@navyfederal.org wrote: > wrote on 05/09/2013 02:44:00 >PM: > >> From: Jakub Hrozek >> To: , >> Date: 05/09/2013 02:44 PM >> Subject: Re: [SSSD-users] RHEL5, sssd and the Global Catalo

Re: [SSSD-users] Problem with sssd and udev

On Fri, May 17, 2013 at 09:09:17PM +, John Bossert wrote: > Am fighting a battle with sssd/ldap and udev (RHEL6/Centos6). > > I have a udev rule that sets disk ownership to oracle/asmadmin at boot. The > user oracle and group asmadmin are registered in ldap. > > Other (udev) forums suggest

Re: [SSSD-users] Problem with sssd and udev

On Mon, May 20, 2013 at 09:41:52AM -0400, Stephen Gallagher wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 05/20/2013 09:08 AM, Jakub Hrozek wrote: > > On Fri, May 17, 2013 at 09:09:17PM +, John Bossert wrote: > >> Am fighting a battle with sssd/l

Re: [SSSD-users] Problem with sssd and udev

On Mon, May 20, 2013 at 04:50:28PM +, John Bossert wrote: > Sorry for leaving out specifics. > > $ cat /etc/redhat-release > Red Hat Enterprise Linux Server release 6.3 (Santiago) > > $ sssd -version > 1.8.0 > > The problem is that, during boot, udev is not correctly executing a rule to > s

Re: [SSSD-users] How to change autofs auto.master name?

On Mon, May 20, 2013 at 09:12:37PM -0700, C. S. wrote: > Hi folks, > > We have two auto.master maps: auto_master_a and auto_master_b. The reason > for this is that it allows us to maintain the same paths at different > campuses and redirect them to local filers vs. traversing a WAN link. > > In s

Re: [SSSD-users] Problem with sssd and udev

On Mon, May 20, 2013 at 08:59:28PM +, John Bossert wrote: > /var/log/messages suggests that udev starts before sssd: > > May 17 16:54:07 seadv01-db01 kernel: udev: starting version 147 > May 17 16:54:09 seadv01-db01 sssd: Starting up I haven't found the bug Stephen was referring to (though I

Re: [SSSD-users] Caching/performance issues with 1.5 vs 1.9

On Wed, May 22, 2013 at 08:26:25PM +, Joshua C. Endries wrote: > Hello, > > I'm trying to get sssd going here to hook up with AD/LDAP for user and group > lookup. I have it working, and it works great on RHEL5 (sssd v1.5.1). Running > 'id' on myself takes 3s when in foreground mode, and 0.01

Re: [SSSD-users] Caching/performance issues with 1.5 vs 1.9

On Thu, May 23, 2013 at 10:36:21AM +0200, Jakub Hrozek wrote: > On Wed, May 22, 2013 at 08:26:25PM +, Joshua C. Endries wrote: > > Hello, > > > > I'm trying to get sssd going here to hook up with AD/LDAP for user and > > group lookup. I have it working, a

Re: [SSSD-users] Problem with sssd and udev

starting version 147 > > >> May 17 16:54:09 seadv01-db01 sssd: Starting up > > > > > On Tue, May 21, 2013 at 09:01:53 -0700, Jakub Hrozek wrote: > > > I haven't found the bug Stephen was referring to (though I remember > > > there was

Re: [SSSD-users] IBM IHS Apache and SSSD

On Thu, May 23, 2013 at 10:32:21AM -0400, will_dar...@navyfederal.org wrote: >Does anyone have any experience with using IBM IHS Apache and sssd >together?   >I've got some RHEL6.4 servers that need to use IBM IHS for apache. > >The 'User ' in the httpd.conf file is set to a userid

Re: [SSSD-users] IBM IHS Apache and SSSD

On Thu, May 23, 2013 at 10:32:21AM -0400, will_dar...@navyfederal.org wrote: >Does anyone have any experience with using IBM IHS Apache and sssd >together?   >I've got some RHEL6.4 servers that need to use IBM IHS for apache. > >The 'User ' in the httpd.conf file is set to a userid

Re: [SSSD-users] IBM IHS Apache and SSSD

On Thu, May 23, 2013 at 11:40:54AM -0400, will_dar...@navyfederal.org wrote: >getent passwd returns results as I suspect. > ># getent passwd wasadmin >wasadmin:*:1209:1209:WebSphere admin:/home/wasadmin:/bin/ksh > >Thanks for the suggestion on strace.. I think that helped me find

Re: [SSSD-users] Caching/performance issues with 1.5 vs 1.9

On Thu, May 23, 2013 at 07:59:14AM -0400, Josh Endries wrote: > I would definitely be interested in testing the changes out. > Great, I build the latest 6.4 packages along with the new option to disable range retrievals: http://jhrozek.fedorapeople.org/sssd-range-retrieval/ To disable the range

Re: [SSSD-users] Problem with sssd and udev

On Fri, May 17, 2013 at 09:09:17PM +, John Bossert wrote: > Am fighting a battle with sssd/ldap and udev (RHEL6/Centos6). > > I have a udev rule that sets disk ownership to oracle/asmadmin at boot. The > user oracle and group asmadmin are registered in ldap. > > Other (udev) forums suggest

Re: [SSSD-users] passwd: Authentication token manipulation error

On Thu, May 30, 2013 at 02:36:08PM +, Harris, Bryan L. wrote: > Sorry about the weird line endings in my first email. Here is the same with > the line endings fixed. > > I'm having an issue with password resets which I'm sorry to say I haven't > been able to figure out by google search or s

Re: [SSSD-users] passwd: Authentication token manipulation error

On Mon, Jun 03, 2013 at 11:08:49AM +, Bryan Harris wrote: > Hi Jakub, > > On May 30, 2013, at 10:06 AM, Jakub Hrozek wrote: > > are you sure the new password meets the complexity requirements imposed > by AD? Currently SSSD doesn't really report those in a meaning

Re: [SSSD-users] sssd + PAM access.conf

On Tue, Jun 04, 2013 at 11:12:54AM -0400, Dmitri Pal wrote: > On 06/04/2013 10:13 AM, Bryan Harris wrote: > > Hi all, > > > > I have the following lines in my file /etc/security/access.conf for > > the purpose of my testing. > > > > - : bryan.harris.adm : ALL > > - : ALL : ALL > > > > When I place

[SSSD-users] Announcing SSSD 1.10.0 Beta 2

hosted.org/sssd/ticket/1912 SUDO is not working for users from trusted AD domain https://fedorahosted.org/sssd/ticket/1468 [RFE] AD: Should be able to log in as long or short domains == Detailed Changelog == Jakub Hrozek (45): * Update the version for the 1.10 beta2 release * Actuall

Re: [SSSD-users] ldap_access_filter with pattern

On Thu, Jun 13, 2013 at 01:03:05PM +0200, Joke de Buhr wrote: > hi, > > i'm using sssd (1.9.4 fedora 18). > > i was wondering if sssd supports any kind of pattern in the > ldap_access_filter > directive to check access based on the pam service name being accessed. > > for example: > > lda

[SSSD-users] Announcing SSSD 1.11 beta 1

option to denote server mode == Detailed Changelog == Jakub Hrozek (11): * Updating the version for the 1.10.1 release * Bump version to track 1.11 development * IPA: Add a server mode option * LDAP: Add utility function sdap_copy_map * AD: decouple ad_id_ctx initializatio

Re: [SSSD-users] Announcing SSSD 1.10.0

On Mon, Jul 08, 2013 at 12:38:35PM +, Longina Przybyszewska wrote: > Thanks - and congratulations ! > > But, what does it mean in practice for multi domain AD environment that > "Global Catalog is searched for identity information"? The Global Catalog searches are useful in environments whe

Re: [SSSD-users] Question about ldap lookup

On Wed, Jul 10, 2013 at 06:00:25PM +0200, Mehmet Soysal wrote: > Hi, > i have a short question about how ldap lookups are done > and if it is possible to modify them. > At the moment i have a sssd(1.9.2) up and running fine with a ldapserver. > > If a user tries to login with his username (ex. js

Re: [SSSD-users] Question about ldap lookup

On Wed, Jul 10, 2013 at 10:08:23PM -0400, Simo Sorce wrote: > On Wed, 2013-07-10 at 23:32 +0200, Jakub Hrozek wrote: > > On Wed, Jul 10, 2013 at 06:00:25PM +0200, Mehmet Soysal wrote: > > > Hi, > > > i have a short question about how ldap lookups are done > > >

[SSSD-users] Announcing SSSD 1.10.1

standalone DNS server https://fedorahosted.org/sssd/ticket/1999 shadowLastChange updates even when PAM reports password change failed https://fedorahosted.org/sssd/ticket/2002 cc_residual_is_used might not work correctly with dircache == Detailed Changelog == Jakub Hrozek (5): * Updating

[SSSD-users] Announcing SSSD 1.11 beta 2

hat contains the SSSD git checkout. Alexander Bokovoy (3): * build: fix dependencies for pysss module * pysss: add pysss.getgrouplist(username) * pysss: prevent crashing when group is unresolvable Jakub Hrozek (13): * Bumping the version for the 1.11 beta2 release * L

Re: [SSSD-users] Not finding /usr/lib64/libsss_sudo.so on RHEL V6.4

On Wed, Jul 24, 2013 at 06:41:38PM +, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote: > Ok...that did it. > > I installed libsss_sudo-1.9.2-82.el6.x86_64.rpm on two different RHEL V6.4 > systems and now sudo > is working through sssd and our ldap server. > > But I am not findi

Re: [SSSD-users] Not finding /usr/lib64/libsss_sudo.so on RHEL V6.4

On Wed, Jul 24, 2013 at 07:11:28PM -0400, Dmitri Pal wrote: > On 07/24/2013 03:41 PM, Licause, Al (CSC AMS BCS - UNIX/Linux Network > Support) wrote: > > Thanks Jakob, > > > > I suspect I'll have at least one unhappy customer if they can't upgrade. > > > > Should we not be able to use sudo with sss

Re: [SSSD-users] Not finding /usr/lib64/libsss_sudo.so on RHEL V6.4

On Thu, Jul 25, 2013 at 03:22:20PM +, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote: > Thanks very much. I'm not sure what AFAIR is but I got this working in RHEL > V6.3 by reenabling > sssd for authentication and then using /etc/sudo-ldap.conf for the sudo > component. > >

Re: [SSSD-users] Not finding /usr/lib64/libsss_sudo.so on RHEL V6.4

On Thu, Jul 25, 2013 at 06:01:09PM +, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote: > Is that to say that when using this under RHEL v6.3 in which we use sssd to > authenticate the user > and then /etc/sudo-ldap.conf to affect the sudo commands, there is no caching > ? There

Re: [SSSD-users] Not finding /usr/lib64/libsss_sudo.so on RHEL V6.4

On Sat, Jul 27, 2013 at 08:18:59PM +, Ondrej Valousek wrote: > Quick note: > Maybe there is a time to update "man nsswitch.conf", too. > Ondrej > Not sure. man nsswitch.conf is part of glibc and so is the code for the maps handled by name-service-switch (group, passwd, netgroups, ...) Some t

Re: [SSSD-users] kinit: Cannot find KDC...

On Tue, Jul 30, 2013 at 11:41:41AM +, Bryan Harris wrote: > Hi all, > > I've followed the sssd page for connecting RHEL 6 to a Windows 2008 for > authentication.  It works on all our servers except one, and I'm getting > confused.  I've even gone as far as to clone a working VM and rename, g

Re: [SSSD-users] Use LDAPs for *_provider = ad

On Tue, Jul 30, 2013 at 11:53:34AM -0400, Chris Hartman wrote: > Ah. It appears I now have a reason to perform SASL binds over LDAPS. My > Active Directory guys are complaining; they say the AD server is throwing > errors that some clients are performing unsigned SASL binds. When signing > is requi

Re: [SSSD-users] Using SSSD with Samab4 DC

On Wed, Jul 31, 2013 at 09:30:42PM +0100, Chris Hayes wrote: > Hi Rowland, > > Thanks for your advice. I've implemented the configuration that you > suggested, changing it to match my domain. > > Still not having any luck though; here's the log (tailing it in the > background) for when I run the

Re: [SSSD-users] Use of TLS security certificates in sssd for ldap authentication ?

On Thu, Aug 01, 2013 at 08:04:46PM +, Licause, Al (CSC AMS BCS - UNIX/Linux Network Support) wrote: > > > Al Licause > HP L2 UNIX Network Services > HP Customer Support Center > Hours 7am-3pm Pacific time USA > Manager: tom.cerni...@hp.com > > > -Original Message- > From: sssd-user

Re: [SSSD-users] Fwd: Use LDAPs for *_provider = ad

On Tue, Jul 30, 2013 at 06:46:22PM -0400, Simo Sorce wrote: > On Tue, 2013-07-30 at 16:42 -0400, Chris Hartman wrote: > > On Tue, Jul 30, 2013 at 4:24 PM, Dmitri Pal wrote: > > MSFT is just paranoid about it. > > > > > > While you may be right, I think that an "ad" provider in SSSD impli

Re: [SSSD-users] Fwd: Use LDAPs for *_provider = ad

On Mon, Aug 05, 2013 at 12:11:44PM -0400, Chris Hartman wrote: > I've got a fully updated Fedora 19 system up and running. I've got > authentication working identically to the rest of the domain. > > [root@sssd ~]# uname -a > > Linux sssd.domain.local 3.10.4-300.fc19.x86_64 #1 SMP Tue Jul 30 11:29

Re: [SSSD-users] Fwd: Use LDAPs for *_provider = ad

On Tue, Aug 06, 2013 at 11:28:47AM -0400, Chris Hartman wrote: > On Tue, Aug 6, 2013 at 8:07 AM, Jakub Hrozek wrote: > > > Here are the F-19 test packages: > > http://koji.fedoraproject.org/koji/taskinfo?taskID=5783694 > > > > Success. The 64-bit packages wor

Re: [SSSD-users] Errors in auth.log

On Tue, Aug 06, 2013 at 05:07:40PM +0100, Rowland Penny wrote: > On 06/08/13 16:59, Terry Arter wrote: > >Hi Rowland, > > > >Thanks for the quick answer. I updated the computer and it made > >matters worst :) > > > >When doing: service sssd restart, I now get this error every few > >seconds. Before

Re: [SSSD-users] Fwd: Use LDAPs for *_provider = ad

On Tue, Aug 06, 2013 at 06:39:12PM +0200, Jakub Hrozek wrote: > On Tue, Aug 06, 2013 at 11:28:47AM -0400, Chris Hartman wrote: > > On Tue, Aug 6, 2013 at 8:07 AM, Jakub Hrozek wrote: > > > > > Here are the F-19 test packages: > > > http://koji.fedoraproject

Re: [SSSD-users] id_provider ad and ldap_filter issue

On Thu, Aug 08, 2013 at 12:45:31PM +0400, Vladimir Akhmarov wrote: > Hello, > > I have a strange problem using new "id_provider = ad" and "ldap_filter = > memberOf=cn=Linux Admins,OU=Common Groups,DC=example,DC=com" option. The > problem is that I always can log on to the system no matter the us

Re: [SSSD-users] Errors in auth.log

On Thu, Aug 08, 2013 at 12:50:41PM +0100, Terry Arter wrote: > Rowland, > > The server OS is Ubuntu with samba 4.0.7. > > However, using your config file as a base I was able to narrow > down the error. It seems that "ldap_disable_referrals = true" > was the problem line. I replaced this with "ld

Re: [SSSD-users] id_provider ad and ldap_filter issue

t@testlinux ~]# ssh domainuser@127.0.0.1 > domainuser@127.0.0.1's password: > Connection closed by 127.0.0.1 > > And again log files are attached > > > > > Best regards, > Vladimir Akhmarov > > On 08.08.2013, at 13:41, Jakub Hrozek wrote: > >

Re: [SSSD-users] id_provider ad and ldap_filter issue

On Thu, Aug 08, 2013 at 08:07:19PM +0400, Vladimir Akhmarov wrote: > Hi, Will > > I have already double checked and yes you are right. My mistake, not > "ldap_filter" just "ldap_access_filter" was right. I have checked my first > config with "id_provider = ad" with no luck. So GSSAPI + access_pr

Re: [SSSD-users] RHEL V6.4: nslcd need to start tls and ssl in a specific order

On Sat, 2013-08-17 at 07:32 -0400, Harry Sutton wrote: > On 08/16/2013 06:03 PM, Licause, Al (CSC AMS BCS - UNIX/Linux Network > Support) wrote: > > > I know this forum is about sssd, but I am working with a customer > > that cannot run sssd due to a > > > > configuration issue on their ldap serv

Re: [SSSD-users] Can't build SSSD on Ubuntu 12.04

On Mon, Aug 19, 2013 at 02:00:42PM -0400, Chris Hartman wrote: > Hi everyone, > > My apologies if this is a repost, but I botched the subject line and > thought it best to re-send. > > I'm trying to build SSSD 1.10.1 for Ubuntu 12.04 i386 to gain AD dynamic > DNS update support. The PPA version 1

Re: [SSSD-users] ssh (sssd) ldap authentication problem

On Wed, Aug 21, 2013 at 02:25:20PM -0400, Stephen Gallagher wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 08/21/2013 02:25 PM, John Uhlig wrote: > > thanks for your prompt reply. I have attached the sssd-default > > logfile. > > > > The cacert dir has been rehashed using cacertd

Re: [SSSD-users] Phantom Group upon login

On Fri, Aug 09, 2013 at 12:31:01PM -0400, Chris Hartman wrote: > On Fri, Aug 9, 2013 at 11:47 AM, Lukas Slebodnik wrote: > > > Could you try to do same query with ldapsearch? (the first part is filster > > and > > the second one is search base. > > > > Sure can: > > > root@smarty:/etc/pu

[SSSD-users] Announcing SSSD 1.11.0

domains in single forest are supported" == Detailed changelog == Alexander Bokovoy (3): * build: fix dependencies for pysss module * pysss: add pysss.getgrouplist(username) * pysss: prevent crashing when group is unresolvable Jakub Hrozek (58): * Updating the version for the 1

Re: [SSSD-users] Announcing SSSD 1.11.0

On Thu, Aug 29, 2013 at 06:21:57AM +, Ondrej Valousek wrote: > Hi Jakub, > Does it mean that AD POSIX attributes are finally supported with IPA&AD trust? > Thanks, > Ondrej > Yes, with IPA 3.3 on the server side. We actually had a Fedora Test Day a while ago where the feature was tested (and

Re: [SSSD-users] Announcing SSSD 1.11.0

On Thu, Aug 29, 2013 at 10:13:20AM +, Ondrej Valousek wrote: > Perfect, > And where we can find a mature IPA 3.3 implementation? Fedora 19 or RHEL-7? > Thanks, > Ondrej > Both, actually. ___ sssd-users mailing list sssd-users@lists.fedorahosted.org

Re: [SSSD-users] Announcing SSSD 1.11.0

On Thu, Aug 29, 2013 at 08:52:26AM -0400, Simo Sorce wrote: > On Thu, 2013-08-29 at 13:30 +0200, Jakub Hrozek wrote: > > On Thu, Aug 29, 2013 at 10:13:20AM +, Ondrej Valousek wrote: > > > Perfect, > > > And where we can find a mature IPA 3.3 implementation?

Re: [SSSD-users] [Freeipa-devel] [SSSD] FreeIPA on Debian

On Sun, Sep 01, 2013 at 09:20:30PM +0300, Timo Aaltonen wrote: > > 3) Someone needs to own packages in Debian and maintain them, someone > > with good knowledge of the distro and time to take ownership of about 50 > > packages. > > I'm doing this on my spare time, which has meant obvious delays in

Re: [SSSD-users] Kerberos DNS SRV records preference

On Fri, Sep 06, 2013 at 02:55:48PM +0200, Bolesław Tokarski wrote: > Hello, > > Can somebody confirm me the behaviour of SSSD (we're currently on > version 1.8.6, but will migrate to whatever comes in Ubuntu 14.04) with > regards to Kerberos DNS records? > > I mean, sssd series 1.8 did not have a

<    1   2   3   4   5   6   7   8   9   10   >