sssd-users March 2017

sssd-users@lists.fedorahosted.org

29 participants
33 discussions

The SSSD project has migrated from fedorahosted.org to pagure.io

by Jakub Hrozek

Hi, because fedorahosted.org was sunset: https://lwn.net/Articles/711887/ we have migrated the SSSD project hosting to pagure.io: https://pagure.io/SSSD/sssd Currently we are in a bit of a flux in the sense that the git repo has been migrated: https://pagure.io/SSSD/sssd.git And the github mirror is fetching data from the canonical pagure repo. The bug tracker has been migrated: https://pagure.io/SSSD/sssd/roadmap the bug numbers are the same as they were in Trac and the trac issue links should redirect seamlesly. However, the wiki has not been migrated yet. The fedora project kindly agreed to keep the old wiki around until we migrate the text to pagure: https://fedorahosted.org/sssd/wiki We are working on migrating the wiki, but because we need to prioritize this work together with development, it might take a bit of time. Please report any issues you see with the new tracking system.

7 years, 1 month

2
1
0 / 0

AD failover and Kerberos

by michael＠hurts.ca

Hi, I'm in an environment with several AD sites, each with a DC. When remote sites' DCs are unreachable because of a VPN outage, I'm not able to complete password authentication with sudo. Does sssd_krb5_locator_plugin.so work with sssd-ad? Do I need to put anything in krb5.conf to activate it? I can see ldap_child is trying to connect on port 88 to all the wrong DCs when I enter a password in sudo. In the logs I see "[krb5_auth_done] (0x0100): Backend is marked offline, retry later!". I'm using sss_ssh_authorizedkeys to log in, so password authentication isn't involved until I sudo. To get this far I had to set dns_resolver_timeout = 30 under [domain/mydomain] in sssd.conf. Before that, AD site discovery was failing; it would look up the DCs, time out after 6 seconds connecting to one of the remote DCs by LDAP, and mark the domain as offline. I also had to set ad_gpo_access_control = disabled; gpo_child was trying to connect to the wrong DCs on port 88. Thanks, Mike

7 years, 1 month

5
9
0 / 0

SSSD does not show group members using "getent group"

by Douglas Duckworth

Hello I am expericing the issue described in this article https://access.redhat.com/solutions/49876 though we already have ldap_group_member = uniqueMember defined in sssd.conf. User's primary group membership is shown by using getent user though getent group does not show group members. I though I was finished tuning sssd.conf though this became an issue yesterday. Members of this listserv have been extremely helpful and so I owe much of my progress to this great community. Anyway, I think the problem's with my schema. In LDAP I see: dn: ou=webgroups,base objectClass: organizationalUnit ou: webgroups dn: cn=groups,ou=webgroups,base objectClass: top objectClass: groupOfUniqueNames cn: blah uniqueMember: uid=blah This makes me think we're using rfc2307 though below this entry I see: dn: cn=gaussrun,ou=Group,base objectClass: posixGroup objectClass: top cn: blah gidNumber: gid memberUid: blah How can SSSD work with both memberUid and uniqueMember as well as different object classes for groups? I obviously inherited this LDAP server which we are replacing soon. Thanks, Douglas Duckworth, MSc, LFCS HPC System Administrator Scientific Computing Unit Physiology and Biophysics Weill Cornell Medicine E: doug(a)med.cornell.edu O: 212-746-6305 F: 212-746-8690

7 years, 1 month

1
1
0 / 0

← Newer
1
2
3
4
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

sssd-users March 2017