July 2018 - FreeIPA-users - Fedora mailing-lists

going level up, domain-wise - how?
by lejeczek 28 Jul '18

28 Jul '18

how guys, how do you go up, from a domain like: from.here to something like: up.from.here ? Do you set a separate IPA domain on separate server? If yes, how then do both domains work together? Do you somehow reconfigure current deployment? gee.. I'm really hopping in the dark here. Is such a scenario a topic covered somewhere in IPA docs(I failed to find)? many thanks, L.

2 2

Re: FreeIPA 4.6.3 on CentOS 7.5?
by Kyle Jarrett 27 Jul '18

27 Jul '18

I'll bump this, because Mr. Bokovoy mentioned here -> https://www.redhat.com/archives/freeipa-users/2016-December/msg00199.html that the "slapi-nis plugin does not support paged results control for the virtual subtree." and elaborated that they were working on rebasing it to another 389-ds instance on the back end. Compat ALMOST works for vCenter 6.5, but without the paged lookup, it dies. Any idea when this change might occur?

2 1

openLDAP to FreeIPA user migration
by Wim Vinckier 27 Jul '18

27 Jul '18

Hi, I'm trying to migrate our openldap users to freeipa by running ipa -v migrate-ds \ --bind-dn=cn=Administrator,dc=example,dc=com \ --user-container=ou=People,dc=example,dc=com \ --group-container=ou=Group,dc=example,dc=com \ --group-objectclass=posixGroup \ --user-objectclass=posixAccount \ --user-ignore-attribute=ldappublickey \ ldap://ldap.example.com:389 --schema=RFC2307bis \ --with-compat but I'm getting this error on each user: ysl: missing attribute "sn" required by object class "person" I found this thread which seems to have a solution but that solution doesn't work for me, I guess because I'm using the current docker version. https://www.redhat.com/archives/freeipa-users/2016-September/msg00016.html Is there anyone out there who could help me to apply the fix mentioned in the thread? Or is there anyone who has another solution? Kind regards, wim vinckier.

1 1

External AD Trust: Cannot get users/groups from AD
by Rene Trippen 27 Jul '18

27 Jul '18

Hi there, I´ve got a external trust established between the ipa server and a AD domain (child of parent) ipa trust-add --type=ad subdomain.main.corp.com --external=true Active Directory domain administrator: ipatrust0 Active Directory domain administrator's password: ------------------------------------------------------------------------- Added Active Directory trust for realm "subdomain.main.corp.com" ------------------------------------------------------------------------- Realm name: subdomain.main.corp.com Domain NetBIOS name: SUBDOMAIN Domain Security Identifier: S-1-5-21-653292258-51847207-622671684 Trust direction: Trusting forest Trust type: Non-transitive external trust to a domain in another Active Directory forest Trust status: Established and verified But, when I try to get users or groups from the AD, nothing is returned getent passwd user1(a)subdomain.main.corp.com -> nothing wbinfo -n "SUBDOMAIN\user1" failed to call wbcLookupName: WBC_ERR_DOMAIN_NOT_FOUND Could not lookup name SUBDOMAIN\user1 wbinfo -m BUILTIN IPA SUBDOMAIN ipa dns-update-system-records --dry-run IIPA DNS records: _kerberos-master._tcp.ipa.main.corp.com. 86400 IN SRV 0 100 88 ipa1.ipa.main.corp.com. _kerberos-master._udp.ipa.main.corp.com. 86400 IN SRV 0 100 88 ipa1.ipa.main.corp.com. _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.ipa.main.corp.com. 86400 IN SRV 0 100 88 ipa1.ipa.main.corp.com. _kerberos._tcp.dc._msdcs.ipa.main.corp.com. 86400 IN SRV 0 100 88 ipa1.ipa.main.corp.com. _kerberos._tcp.ipa.main.corp.com. 86400 IN SRV 0 100 88 ipa1.ipa.main.corp.com. _kerberos._udp.Default-First-Site-Name._sites.dc._msdcs.ipa.main.corp.com. 86400 IN SRV 0 100 88 ipa1.ipa.main.corp.com. _kerberos._udp.dc._msdcs.ipa.main.corp.com. 86400 IN SRV 0 100 88 ipa1.ipa.main.corp.com. _kerberos._udp.ipa.main.corp.com. 86400 IN SRV 0 100 88 ipa1.ipa.main.corp.com. _kerberos.ipa.main.corp.com. 86400 IN TXT "IPA.MAIN.CORP.COM" _kpasswd._tcp.ipa.main.corp.com. 86400 IN SRV 0 100 464 ipa1.ipa.main.corp.com. _kpasswd._udp.ipa.main.corp.com. 86400 IN SRV 0 100 464 ipa1.ipa.main.corp.com. _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.ipa.main.corp.com. 86400 IN SRV 0 100 389 ipa1.ipa.main.corp.com. _ldap._tcp.dc._msdcs.ipa.main.corp.com. 86400 IN SRV 0 100 389 ipa1.ipa.main.corp.com. _ldap._tcp.ipa.main.corp.com. 86400 IN SRV 0 100 389 ipa1.ipa.main.corp.com. _ntp._udp.ipa.main.corp.com. 86400 IN SRV 0 100 123 ipa1.ipa.main.corp.com. ipa-ca.ipa.main.corp.com. 86400 IN A 10.1.17.123 The IPA server and the AD machines are in the same net, without firewall segemenatation The ADs are 2008R2 The IPA Server is a CentOS (latest), got following ipa version installed: ipa-common-4.5.4-10.el7.centos.3.noarch ipa-server-trust-ad-4.5.4-10.el7.centos.3.x86_64 ipa-client-4.5.4-10.el7.centos.3.x86_64 ipa-server-dns-4.5.4-10.el7.centos.3.noarch ipa-server-common-4.5.4-10.el7.centos.3.noarch ipa-client-common-4.5.4-10.el7.centos.3.noarch ipa-server-4.5.4-10.el7.centos.3.x86_64 I can provide you tons of logs, but I don´t know where to start. Best regards, Rene

3 3

How to investigate error "Cannot contact any KDC for realm" when it occured randomly ?
by lune voo 27 Jul '18

27 Jul '18

Hello everyone. I send you this mail because I have sometimes errors "Cannot contact any KDC for realm". When I retry it works fine. So this error is kind of random. I'm using Freeipa 3.0 in RHEL6.6 with sssd. I was wondering how to investigate this kind of error ? May I monitore some KPI from the KDC or check from logs ? Do you know which kind of logs I can check ? Thank you in advance for your help. Best regards. Lune

3 3

Can we install LDAP only
by michael_ly＠sina.cn 26 Jul '18

26 Jul '18

Dear, Can we only install LDAP related components, with Kerberos? How? Yuan

3 2

回复：Re: Can we install LDAP only
by michael_ly＠sina.cn 26 Jul '18

26 Jul '18

Thanks for your reminding. One more question, can we set the krb5.conf location to a different path? The default is /etc/krb5.conf, can we change it to a different path? ----- 原始邮件 ----- 发件人：Alexander Bokovoy via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org> 收件人：michael_ly(a)sina.cn, FreeIPA users list <freeipa-users(a)lists.fedorahosted.org> 抄送人：Alexander Bokovoy <abokovoy(a)redhat.com> 主题：[Freeipa-users] Re: Can we install LDAP only 日期：2018年07月26日 15点06分 On to, 26 heinä 2018, None via FreeIPA-users wrote: >Dear, > >Can we only install LDAP related components, with Kerberos? How? Do you mean you want LDAP server only? LDAP server with Kerberos KDC? LDAP server without Kerberos KDC? FreeIPA is an integrated solution, so you cannot install separate components alone. If you need LDAP only, FreeIPA is not a best solution to that. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland _______________________________________________ FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahos…

2 1

sssd is going down and up and down and up and down and ... until it breaks
by Harald Dunkel 26 Jul '18

26 Jul '18

Hi folks, Apparently sssd goes down and up again and again. I found this in /var/log/daemon.log on our git server: Jul 23 18:02:08 git01 sssd[be[example.de]]: Shutting down Jul 23 18:02:08 git01 sssd[pam]: Shutting down Jul 23 18:02:08 git01 sssd[nss]: Shutting down Jul 23 18:02:09 git01 sssd[pam]: Starting up Jul 23 18:02:09 git01 sssd[nss]: Starting up Jul 23 18:02:09 git01 sssd[be[example.de]]: Starting up Jul 23 18:02:11 git01 sssd[nss]: Starting up Jul 23 18:02:11 git01 sssd[pam]: Starting up Jul 23 20:01:33 git01 sssd[nss]: Shutting down Jul 23 20:01:33 git01 sssd[pam]: Shutting down Jul 23 20:01:33 git01 sssd[be[example.de]]: Shutting down Jul 23 20:01:33 git01 sssd[nss]: Starting up Jul 23 20:01:33 git01 sssd[pam]: Starting up Jul 23 20:01:33 git01 sssd[be[example.de]]: Starting up Jul 23 20:01:35 git01 sssd[nss]: Starting up Jul 23 20:01:35 git01 sssd[pam]: Starting up Jul 23 20:02:44 git01 sssd[nss]: Shutting down Jul 23 20:02:44 git01 sssd[nss]: Starting up Jul 23 20:03:43 git01 sssd[nss]: Shutting down Jul 23 20:03:43 git01 sssd[pam]: Shutting down Jul 23 20:03:43 git01 sssd[nss]: Starting up Jul 23 20:03:43 git01 sssd[pam]: Starting up Jul 23 20:06:24 git01 sssd[be[example.de]]: Shutting down Jul 23 20:06:24 git01 sssd[be[example.de]]: Starting up Jul 23 20:07:34 git01 sssd[be[example.de]]: Shutting down Jul 23 20:07:37 git01 sssd[pam]: Shutting down Jul 23 20:07:37 git01 sssd[be[example.de]]: Starting up Jul 23 20:07:37 git01 sssd[pam]: Starting up Jul 23 20:07:37 git01 sssd[pam]: Starting up Jul 23 20:14:39 git01 sssd[pam]: Shutting down Jul 23 20:14:39 git01 sssd[be[example.de]]: Starting up Jul 23 20:14:39 git01 sssd[pam]: Starting up Jul 23 20:18:44 git01 sssd[be[example.de]]: Shutting down Jul 23 20:18:44 git01 sssd[pam]: Shutting down Jul 23 20:18:44 git01 sssd[be[example.de]]: Starting up Jul 23 20:18:44 git01 sssd[pam]: Starting up Jul 24 04:05:28 git01 sssd[pam]: Shutting down Jul 24 04:05:28 git01 sssd[pam]: Starting up Jul 24 05:21:53 git01 sssd[be[example.de]]: Shutting down Jul 24 05:21:53 git01 sssd[be[example.de]]: Starting up Jul 24 05:27:50 git01 sssd[pam]: Shutting down Jul 24 05:27:50 git01 sssd[pam]: Starting up Jul 24 05:27:50 git01 sssd[be[example.de]]: Starting up Jul 24 05:27:53 git01 sssd[pam]: Starting up Jul 24 05:30:31 git01 sssd[pam]: Shutting down Jul 24 05:30:31 git01 sssd[pam]: Starting up Jul 24 05:31:59 git01 sssd[nss]: Shutting down Jul 24 05:31:59 git01 sssd[pam]: Shutting down Jul 24 05:31:59 git01 sssd[nss]: Starting up Jul 24 05:31:59 git01 sssd[be[example.de]]: Shutting down Jul 24 05:31:59 git01 sssd[pam]: Starting up Jul 24 05:31:59 git01 sssd[be[example.de]]: Starting up Jul 24 05:32:01 git01 sssd[pam]: Starting up Jul 24 05:33:24 git01 sssd[pam]: Shutting down Jul 24 05:33:24 git01 sssd[pam]: Starting up Jul 24 05:33:24 git01 sssd[be[example.de]]: Starting up Jul 24 06:01:38 git01 sssd[pam]: Shutting down Jul 24 06:01:38 git01 sssd[be[example.de]]: Starting up Jul 24 06:01:38 git01 sssd[pam]: Starting up Jul 24 06:02:39 git01 sssd[be[example.de]]: Shutting down Jul 24 06:02:39 git01 sssd[be[example.de]]: Starting up Jul 24 09:56:52 git01 sssd[pam]: Shutting down Jul 24 09:56:52 git01 sssd[pam]: Starting up Jul 24 10:02:42 git01 sssd[nss]: Shutting down Jul 24 10:02:42 git01 sssd[pam]: Shutting down Jul 24 10:02:42 git01 sssd[nss]: Starting up Jul 24 10:02:42 git01 sssd[pam]: Starting up Jul 24 10:02:42 git01 sssd[nss]: Shutting down Jul 24 10:02:42 git01 sssd[pam]: Shutting down Jul 24 10:02:42 git01 sssd[nss]: Starting up Jul 24 10:02:42 git01 sssd[pam]: Starting up Jul 24 10:02:42 git01 sssd[be[example.de]]: Shutting down Jul 24 10:02:42 git01 sssd[be[example.de]]: Starting up Jul 24 10:06:14 git01 sssd[be[example.de]]: Shutting down Jul 24 10:06:14 git01 sssd[nss]: Shutting down Jul 24 10:06:14 git01 sssd[nss]: Starting up Jul 24 10:06:14 git01 sssd[be[example.de]]: Starting up Jul 24 10:06:14 git01 sssd[nss]: Starting up Jul 24 10:15:49 git01 sssd[be[example.de]]: Shutting down Jul 24 10:15:49 git01 sssd[be[example.de]]: Starting up Jul 24 10:16:44 git01 sssd[be[example.de]]: Shutting down Jul 24 10:17:00 git01 sssd[pam]: Shutting down Jul 24 10:17:00 git01 sssd[pam]: Starting up Jul 24 10:17:00 git01 sssd[be[example.de]]: Starting up Jul 24 10:17:00 git01 sssd[pam]: Starting up Jul 24 10:18:48 git01 sssd[pam]: Shutting down Jul 24 10:18:48 git01 sssd[pam]: Starting up Jul 24 10:19:43 git01 sssd[be[example.de]]: Shutting down Jul 24 10:19:43 git01 sssd[be[example.de]]: Starting up Jul 24 10:20:32 git01 sssd[pam]: Shutting down Jul 24 10:20:32 git01 sssd[pam]: Starting up Jul 24 10:21:12 git01 sssd[be[example.de]]: Shutting down Jul 24 10:21:15 git01 sssd[be[example.de]]: Starting up Jul 24 10:27:11 git01 sssd[be[example.de]]: Shutting down Jul 24 10:27:11 git01 sssd[pam]: Shutting down Jul 24 10:27:11 git01 sssd[pam]: Starting up Jul 24 10:27:11 git01 sssd[be[example.de]]: Starting up Jul 24 10:27:13 git01 sssd[pam]: Starting up Jul 24 10:30:03 git01 sssd[be[example.de]]: Shutting down Jul 24 10:30:03 git01 sssd[be[example.de]]: Starting up Jul 24 10:42:31 git01 sssd[pam]: Shutting down Jul 24 10:42:31 git01 sssd[pam]: Starting up Jul 24 10:42:31 git01 sssd[be[example.de]]: Starting up Jul 24 10:54:45 git01 sssd[pam]: Shutting down Jul 24 10:54:45 git01 sssd[be[example.de]]: Shutting down Jul 24 10:54:45 git01 sssd[pam]: Starting up Jul 24 10:54:45 git01 sssd[be[example.de]]: Starting up Jul 24 10:54:47 git01 sssd[pam]: Starting up Jul 24 11:01:37 git01 sssd[be[example.de]]: Shutting down Jul 24 11:01:37 git01 sssd[be[example.de]]: Starting up Jul 24 11:04:09 git01 sssd[be[example.de]]: Shutting down Jul 24 11:04:09 git01 sssd[be[example.de]]: Starting up Jul 24 11:29:04 git01 sssd[be[example.de]]: Shutting down Jul 24 11:29:04 git01 sssd[be[example.de]]: Starting up Jul 24 11:31:29 git01 sssd[be[example.de]]: Shutting down Jul 24 11:31:29 git01 sssd[be[example.de]]: Starting up Jul 24 11:37:54 git01 sssd[be[example.de]]: Shutting down Jul 24 11:37:54 git01 sssd[be[example.de]]: Starting up Jul 24 11:39:35 git01 sssd[be[example.de]]: Shutting down Jul 24 11:39:43 git01 sssd[be[example.de]]: Starting up Jul 24 11:41:13 git01 sssd[be[example.de]]: Shutting down Jul 24 11:41:25 git01 sssd[be[example.de]]: Starting up Jul 24 11:41:25 git01 sssd[nss]: Shutting down Jul 24 11:41:25 git01 sssd[nss]: Starting up Jul 24 11:41:54 git01 [sssd[krb5_child[33646]]]: Preauthentication failed Jul 24 11:41:54 git01 [sssd[krb5_child[33646]]]: Preauthentication failed Jul 24 11:42:27 git01 sssd[nss]: Shutting down Jul 24 11:42:44 git01 sssd[nss]: Starting up Jul 24 11:42:46 git01 sssd[be[example.de]]: Shutting down Jul 24 11:42:46 git01 sssd[be[example.de]]: Starting up Jul 24 11:46:37 git01 sssd[pam]: Shutting down Jul 24 11:46:37 git01 sssd[pam]: Starting up Jul 24 11:48:33 git01 sssd[be[example.de]]: Shutting down Jul 24 11:48:36 git01 sssd[pam]: Shutting down Jul 24 11:48:36 git01 sssd[pam]: Starting up Jul 24 11:48:36 git01 sssd[be[example.de]]: Starting up Jul 24 11:48:36 git01 sssd[pam]: Starting up Jul 24 12:01:27 git01 sssd[pam]: Shutting down Jul 24 12:01:27 git01 sssd[be[example.de]]: Shutting down Jul 24 12:01:27 git01 sssd[pam]: Starting up Jul 24 12:01:27 git01 sssd[be[example.de]]: Starting up Jul 24 12:01:29 git01 sssd[pam]: Starting up Jul 25 12:01:35 git01 sssd[pam]: Shutting down Jul 25 12:01:35 git01 sssd[pam]: Starting up Jul 25 18:03:58 git01 systemd[1]: sssd.service: Main process exited, code=exited, status=1/FAILURE Jul 25 18:03:58 git01 systemd[1]: sssd.service: Unit entered failed state. Jul 25 18:03:58 git01 systemd[1]: sssd.service: Failed with result 'exit-code'. Jul 25 18:03:58 git01 sssd[be[example.de]]: Shutting down Jul 25 18:03:58 git01 sssd[nss]: Shutting down Jul 25 18:03:58 git01 sssd[nss]: Starting up Jul 25 18:03:58 git01 sssd[nss]: Starting up Jul 25 18:03:58 git01 sssd[nss]: Starting up Jul 25 18:03:58 git01 sssd: Exiting the SSSD. Could not restart critical service [nss]. Jul 25 18:03:58 git01 sssd[be[example.de]]: Starting up Jul 25 18:03:58 git01 sssd[be[example.de]]: Shutting down Jul 25 18:03:58 git01 sssd[pam]: Shutting down Jul 25 18:03:58 git01 sssd[pac]: Shutting down Jul 25 18:15:32 git01 sssd: Starting up Jul 25 18:15:32 git01 sssd[be[example.de]]: Starting up Jul 25 18:15:32 git01 sssd[pam]: Starting up Jul 25 18:15:32 git01 sssd[nss]: Starting up Jul 25 18:15:32 git01 sssd[pac]: Starting up Jul 26 10:25:16 git01 sssd[be[example.de]]: Shutting down Jul 26 10:25:16 git01 sssd[pam]: Shutting down Jul 26 10:25:16 git01 sssd[nss]: Shutting down Jul 26 10:25:16 git01 sssd[pac]: Shutting down Jul 26 10:25:16 git01 sssd: Starting up Jul 26 10:25:16 git01 sssd[be[example.de]]: Starting up Jul 26 10:25:17 git01 sssd[pam]: Starting up Jul 26 10:25:17 git01 sssd[nss]: Starting up Jul 26 10:25:17 git01 sssd[pac]: Starting up I wonder why it doesn't keep on running? Why did it fail completely at 18:03? This triggered an emergency and had to be resolved manually. The journal shows Jul 25 18:02:46 git01.ac.example.de systemd[1]: sssd.service: Main process exited, code=exited, status=1/FAILURE Jul 25 18:02:46 git01.ac.example.de systemd[1]: sssd.service: Unit entered failed state. Jul 25 18:02:46 git01.ac.example.de systemd[1]: sssd.service: Failed with result 'exit-code'. Jul 25 18:01:52 git01.ac.example.de sssd[be[43718]: Shutting down Jul 25 18:01:52 git01.ac.example.de sssd[33790]: Shutting down Jul 25 18:01:56 git01.ac.example.de sssd[100999]: Starting up Jul 25 18:01:58 git01.ac.example.de sssd[101071]: Starting up Jul 25 18:02:02 git01.ac.example.de sssd[101163]: Starting up Jul 25 18:02:45 git01.ac.example.de sssd[73]: Exiting the SSSD. Could not restart critical service [nss]. Jul 25 18:02:45 git01.ac.example.de sssd[be[101036]: Starting up Jul 25 18:02:45 git01.ac.example.de sssd[be[101036]: Shutting down Jul 25 18:02:45 git01.ac.example.de sssd[75226]: Shutting down Jul 25 18:02:45 git01.ac.example.de sssd[134]: Shutting down Jul 25 18:03:00 git01.ac.example.de sshd[101666]: pam_sss(sshd:account): Request to sssd failed. Connection refused Jul 25 18:03:00 git01.ac.example.de sshd[101683]: pam_sss(sshd:account): Request to sssd failed. Connection refused Jul 25 18:03:00 git01.ac.example.de sshd[101682]: pam_sss(sshd:account): Request to sssd failed. Connection refused Jul 25 18:03:00 git01.ac.example.de sshd[101684]: pam_sss(sshd:account): Request to sssd failed. Connection refused Jul 25 18:03:00 git01.ac.example.de sshd[101690]: pam_sss(sshd:account): Request to sssd failed. Connection refused Jul 25 18:03:00 git01.ac.example.de sshd[101689]: pam_sss(sshd:account): Request to sssd failed. Connection refused Jul 25 18:03:00 git01.ac.example.de sshd[101691]: pam_sss(sshd:account): Request to sssd failed. Connection refused Jul 25 18:03:00 git01.ac.example.de sshd[101688]: pam_sss(sshd:account): Request to sssd failed. Connection refused Jul 25 18:03:00 git01.ac.example.de sshd[101696]: pam_sss(sshd:account): Request to sssd failed. Connection refused Jul 25 18:04:00 git01.ac.example.de sshd[102433]: pam_sss(sshd:account): Request to sssd failed. Connection refused Jul 25 18:04:00 git01.ac.example.de sshd[102432]: pam_sss(sshd:account): Request to sssd failed. Connection refused Jul 25 18:04:00 git01.ac.example.de sshd[102431]: pam_sss(sshd:account): Request to sssd failed. Connection refused Jul 25 18:04:00 git01.ac.example.de sshd[102437]: pam_sss(sshd:account): Request to sssd failed. Connection refused Jul 25 18:05:00 git01.ac.example.de sshd[103008]: pam_sss(sshd:account): Request to sssd failed. Connection refused Jul 25 18:05:00 git01.ac.example.de sshd[103007]: pam_sss(sshd:account): Request to sssd failed. Connection refused Jul 25 18:05:00 git01.ac.example.de sshd[103009]: pam_sss(sshd:account): Request to sssd failed. Connection refused Jul 25 18:05:00 git01.ac.example.de sshd[103032]: pam_sss(sshd:account): Request to sssd failed. Connection refused Jul 25 18:05:00 git01.ac.example.de sshd[103031]: pam_sss(sshd:account): Request to sssd failed. Connection refused Jul 25 18:05:00 git01.ac.example.de sshd[103030]: pam_sss(sshd:account): Request to sssd failed. Connection refused Jul 25 18:05:00 git01.ac.example.de sshd[103036]: pam_sss(sshd:account): Request to sssd failed. Connection refused Jul 25 18:06:28 git01.ac.example.de sshd[103823]: pam_sss(sshd:auth): Request to sssd failed. Connection refused Jul 25 18:06:36 git01.ac.example.de sshd[103823]: pam_sss(sshd:auth): Request to sssd failed. Connection refused Jul 25 18:08:11 git01.ac.example.de sshd[105080]: pam_sss(sshd:auth): Request to sssd failed. Connection refused Jul 25 18:08:24 git01.ac.example.de sshd[105182]: pam_sss(sshd:auth): Request to sssd failed. Connection refused Jul 25 18:08:38 git01.ac.example.de sshd[105365]: pam_sss(sshd:auth): Request to sssd failed. Connection refused Jul 25 18:10:50 git01.ac.example.de sshd[106920]: pam_sss(sshd:auth): Request to sssd failed. Connection refused Jul 25 18:15:32 git01.ac.example.de sssd[110413]: Starting up Jul 25 18:15:32 git01.ac.example.de sssd[be[110415]: Starting up Jul 25 18:15:32 git01.ac.example.de sssd[110418]: Starting up Jul 25 18:15:32 git01.ac.example.de sssd[110417]: Starting up Jul 25 18:15:32 git01.ac.example.de sssd_be[110415]: GSSAPI client step 1 Jul 25 18:15:32 git01.ac.example.de sssd_be[110415]: GSSAPI client step 1 Jul 25 18:15:32 git01.ac.example.de sssd[110419]: Starting up Jul 25 18:15:32 git01.ac.example.de sssd_be[110415]: GSSAPI client step 1 Jul 25 18:15:32 git01.ac.example.de sssd_be[110415]: GSSAPI client step 2 Jul 25 18:30:42 git01.ac.example.de sssd_be[110415]: GSSAPI client step 1 sssd doesn't write critical errors into its log files by default :-(. There is no information about this in /var/log/sssd. Of course I have increased verbosity now. This was sssd version 1.15.2 on Debian 9. I have upgraded the system to sssd 1.16.1. Every helpful comment is highly appreciated. Harri

2 1

Re: AD and IPA integration
by Николай Савельев 26 Jul '18

26 Jul '18

> From: Jakub Hrozek <jhrozek(a)redhat.com> > > Are you sure sssd is not logging you offline? > > sssctl domain-status can tell you the status of the domains.. > > ------------------------------ Yes, I sure. I tried to login in ipa server and client. I could with old password, but coludn't with new. sssctl domain-status start-line.local Online status: Online Active servers: AD Global Catalog: ad.start-line.local AD Domain Controller: ad2.start-line.local IPA: dc.fs.lan Discovered AD Global Catalog servers: - ad.start-line.local - ad2.start-line.local Discovered AD Domain Controller servers: - ad2.start-line.local - ad.start-line.local Discovered IPA servers: - dc.fs.lan -- С уважением, Николай.

3 9

Can see AD Users on the FreeIPA Server itself, but not on connected client
by tolotos＠gmail.com 25 Jul '18

25 Jul '18

Hi, we have a setup with a Forest Trust to an AD Domain. Everything looks good on the FreeIPA Servers itself. We can see User information if we do "getent passwd user(a)ad.domain" or "id user(a)ad.domain" or "sssctl user-checks user(a)ad.domain". But on a connected client, we get only the user of the ipa domain and no user information on ad user. In the logs, we found no obvious error. The only thing we see in sssd.log is: (Tue Jul 10 16:19:27 2018) [sssd[be[ipa.domain]]] [delayed_online_authentication_callback] (0x0200): Backend is online, starting delayed online authentication. (Tue Jul 10 16:19:28 2018) [sssd[be[ipa.domain]]] [dp_get_account_info_handler] (0x0200): Got request for [0x1][BE_REQ_USER][name=user(a)ad.domain] (Tue Jul 10 16:19:28 2018) [sssd[be[ipa.domain]]] [ipa_s2n_exop_done] (0x0040): ldap_extended_operation result: No such object(32), (null). (Tue Jul 10 16:19:28 2018) [sssd[be[ipa.domain]]] [ipa_s2n_get_user_done] (0x0040): s2n exop request failed. Best Regards, Axel

3 13

2024

2023

2022

2021

2020

2019

2018

2017

FreeIPA-users July 2018