September 2016 - sssd-users - Fedora Mailing-Lists

Enumerate users from external group from AD trust

by Bolke de Bruin

Hello, I have sssd 1.13.00 working against FreeIPA 4.2 domain. This domain has a trust relationship with a active directory domain. One of the systems we are using requires to enumerate all users in groups by (unfortunate) design (Apache Ranger). This is done by using “getent group”. During this enumeration the full user list for a group that has a nested external member group* is not always returned so we thought to add “getent group mygroup” in order to get more details. Unfortunately this does not seem to work consistently: sometimes this gives information sometimes it does not: [root@master centos]# getent group ad_users ad_users:*:1950000004: [root@master centos]# id bolke(a)ad.local UID=1796201107(bolke(a)ad.local) GID=1796201107(bolke(a)ad.local) groepen=1796201107(bolke(a)ad.local),1796200513(domain users@ad.local),1796201108(test(a)ad.local) [root@master centos]# getent group ad_users ad_users:*:1950000004:bolke@ad.local <mailto:bolke@ad.local> If I clear the cache (sss_cache -E) the entry is gone again: [root@master centos]# getent group ad_users ad_users:*:1950000004: My question is how do I get sssd to enumerate *all users* in a group consistently? Thanks! Bolke * https://docs.fedoraproject.org/en-US/Fedora/18/html/FreeIPA_Guide/trust-g...

4 years

3
15
0 / 0

'no primary group ID provided' when trying to use ldap mode against AD

by Daniel Hermans

Hi, i'd like to use sssd in ldap mode against Active Directory so I have defined: id_provider = ldap auth_provider = ldap Yes krb5 would be better but i only have a BIND account and cannot add computer objects. This 'should' be possible - it works with nslcd. As I don't have Posix attributes i'm using: ldap_id_mapping = true fallback_homedir = /home/%d/%u default_shell = /bin/bash sssd can bind with LDAPS and can seem to get user info from the domain: (Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_ENTRY] (Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_parse_entry] (0x1000): OriginalDN: [CN=Some User,OU=Admin Accounts,DC=dev,DC=somedomain,DC=com]. (Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_process_result] (0x2000): Trace: sh[0x7f5d15fbc030], connected[1], ops[0x7f5d1639d140], ldap[0x7f5d15fb5cd0] (Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no errmsg set (Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_op_destructor] (0x2000): Operation 3 finished (Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_search_user_process] (0x0400): Search for users, returned 1 results. (Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_search_user_process] (0x4000): Retrieved total 1 users The UID mapping seems to succeed: (Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [ldb] (0x4000): start ldb transaction (nesting: 0) (Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_user] (0x0400): Save user (Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_user] (0x4000): Failed to retrieve UUID [2][No such file or directory]. (Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_user] (0x0400): SID S-1-5-21-3970895924-989261097-3267629119-1443 does not belong to any known domain (Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_get_primary_name] (0x0400): Processing object someuser (Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_user] (0x0400): Processing user someuser (Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_user] (0x1000): Mapping user [someuser] objectSID [S-1-5-21-3970895924-989261097-3267629119-1443] to unix ID But it gets no further with this message: (Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_get_idmap_primary_gid] (0x0080): no primary group ID provided (Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_user] (0x0020): Cannot get the GID for [someuser] in domain [extdev]. (Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_user] (0x0020): Failed to save user [someuser] (Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_users] (0x0040): Failed to store user 0. Ignoring. Have tried against two different domains with identical result ( one a cleanly installed 2012R2 domain ). Any ideas what I'm doing wrong? Is this possible? Various (old) posts suggests it is. This was first (incorrectly) posted to sssd-devel, Jakub Hrozek updated and told me to define ldap_idmap_default_domain_sid so sssd no longer reports this: (Fri Aug 26 13:34:10 2016) [sssd[be[dev]]] [sdap_save_user] (0x0400): SID S-1-5-21-3970895924-989261097-3267629119-1443 does not belong to any known domain Thanks in advance!!

6 years, 7 months

4
9
0 / 0

sssd monitor_quit_signal - causes? No matching domain found for [root], fail!

by Richard Collins

Running Red Hat Enterprise Linux Server release 6.5 (Santiago) - 2.6.32-431.el6.x86_64 SSSD version: sssd-1.13.3-22.el6_8.4.x86_64 I'm seeing (seemingly random?) shutdown/termination of sssd across multiple nodes, all with the same configuration. To my knowledge there is no process going around killing things, we even have a scheduled job to check sssd status and restart every 5 minutes if unavailable: /var/log/sssd/sssd.log:284469:(Mon Sep 26 12:21:29 2016) [sssd] [monitor_quit_signal] (0x2000): Received shutdown command /var/log/sssd/sssd.log:318707:(Mon Sep 26 16:19:19 2016) [sssd] [monitor_quit_signal] (0x2000): Received shutdown command /var/log/sssd/sssd.log:321889:(Mon Sep 26 16:43:12 2016) [sssd] [monitor_quit_signal] (0x2000): Received shutdown command /var/log/sssd/sssd.log:474327:(Tue Sep 27 10:29:39 2016) [sssd] [monitor_quit_signal] (0x2000): Received shutdown command /var/log/sssd/sssd.log:475205:(Tue Sep 27 10:34:36 2016) [sssd] [monitor_quit_signal] (0x2000): Received shutdown command Right before each shutdown, there are lots of the following nss_cmd_getbynam and sss_ncache_check_str entries for 'root' in sssd_nss.log: (Mon Sep 26 16:43:11 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [38][SSS_NSS_INITGR] with input [root]. (Mon Sep 26 16:43:11 2016) [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Mon Sep 26 16:43:11 2016) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [root] from [<ALL>] (Mon Sep 26 16:43:11 2016) [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/MYDOMAIN/root] (Mon Sep 26 16:43:11 2016) [sssd[nss]] [nss_cmd_initgroups_search] (0x0400): User [root] does not exist in [MYDOMAIN]! (negative cache) (Mon Sep 26 16:43:11 2016) [sssd[nss]] [nss_cmd_initgroups_search] (0x0080): No matching domain found for [root], fail! (Mon Sep 26 16:43:11 2016) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0xf7e120][24] (Mon Sep 26 16:43:12 2016) [sssd[nss]] [sss_responder_ctx_destructor] (0x0400): Responder is being shut down (Mon Sep 26 16:43:12 2016) [sssd[nss]] [client_destructor] (0x2000): Terminated client [0xf7e120][24] (Mon Sep 26 16:43:12 2016) [sssd[nss]] [client_destructor] (0x2000): Terminated client [0xf840e0][23] (Mon Sep 26 16:43:12 2016) [sssd[nss]] [client_destructor] (0x2000): Terminated client [0xf7b500][22] Corresponding AD log for same period: (Mon Sep 26 16:43:10 2016) [sssd[be[MYDOMAIN]]] [sbus_dispatch] (0x4000): dbus conn: 0x142aa90 (Mon Sep 26 16:43:10 2016) [sssd[be[MYDOMAIN]]] [sbus_dispatch] (0x4000): Dispatching. (Mon Sep 26 16:43:10 2016) [sssd[be[MYDOMAIN]]] [sbus_message_handler] (0x2000): Received SBUS method org.freedesktop.sssd.service.ping on path /org/freedesktop/sssd/service (Mon Sep 26 16:43:10 2016) [sssd[be[MYDOMAIN]]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit (Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [sbus_remove_watch] (0x2000): 0x1440c50/0x143e080 (Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [sbus_remove_watch] (0x2000): 0x1440c50/0x143e030 (Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [sbus_dispatch] (0x4000): dbus conn: 0x143eb00 (Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [sbus_dispatch] (0x0080): Connection is not open for dispatching. (Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [be_client_destructor] (0x0400): Removed SUDO client (Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [sbus_remove_watch] (0x2000): 0x1444030/0x14420b0 (Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [sbus_remove_watch] (0x2000): 0x1444030/0x1442060 (Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [sbus_dispatch] (0x4000): dbus conn: 0x1443250 (Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [sbus_dispatch] (0x0080): Connection is not open for dispatching. (Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [be_client_destructor] (0x0400): Removed PAM client (Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [sbus_remove_watch] (0x2000): 0x143d070/0x142c0d0 (Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [sbus_remove_watch] (0x2000): 0x143d070/0x142aeb0 (Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [sbus_dispatch] (0x4000): dbus conn: 0x143c570 (Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [sbus_dispatch] (0x0080): Connection is not open for dispatching. (Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [be_client_destructor] (0x0400): Removed NSS client (Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [be_ptask_destructor] (0x0400): Terminating periodic task [SUDO Smart Refresh] (Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [be_ptask_destructor] (0x0400): Terminating periodic task [SUDO Full Refresh] (Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [sdap_handle_release] (0x2000): Trace: sh[0x14f9ff0], connected[1], ops[(nil)], ldap[0x1449c10], destructor_lock[0], release_memory[0] (Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [remove_connection_callback] (0x4000): Successfully removed connection callback. (Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [sbus_remove_watch] (0x2000): 0x142f250/0x1417480 (Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [remove_socket_symlink] (0x4000): The symlink points to [/var/lib/sss/pipes/private/sbus-dp_MYDOMAIN.11328] (Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [remove_socket_symlink] (0x4000): The path including our pid is [/var/lib/sss/pipes/private/sbus-dp_MYDOMAIN.11328] (Mon Sep 26 16:43:12 2016) [sssd[be[MYDOMAIN]]] [remove_socket_symlink] (0x4000): Removed the symlink AD controllers are WIN2012R2 SSSD is configured with a single domain (MYDOMAIN) ######begin sssd.conf (redacted)##### [sssd] config_file_version = 2 services = nss, pam, sudo domains = MYDOMAIN debug_level = 9 [nss] default_shell = /bin/bash debug_level = 9 filter_users = root filter_groups = root [pam] debug_level = 9 [sudo] debug_level = 9 [domain/MYDOMAIN] id_provider = ldap access_provider = simple cache_credentials = false debug_level = 9 ldap_server = _srv_ ldap_search_base = ######### ldap_id_use_start_tls = true ldap_tls_reqcert = allow ldap_default_bind_dn = ######### ldap_default_authtok_type = password ldap_default_authtok = ######### ldap_user_search_base = ou=BusinessUnits,dc=mydomain ldap_user_object_class = user ldap_id_mapping = true ldap_schema = ad ldap_group_search_base = ######### ldap_group_object_class = group ldap_referrals = false enumerate = false override_homedir = /export/home/%u ldap_group_nesting_level = 5 ldap_use_tokengroups = false simple_allow_groups = sasi,sasadmin,sasmgt ldap_access_order = expire ldap_account_expire_policy = ad ######end sssd.conf##### This document is strictly confidential and is intended for use by the addressee unless otherwise indicated. Allied Irish Banks AIB and AIB Group are registered business names of Allied Irish Banks p.l.c. Allied Irish Banks, p.l.c. is regulated by the Central Bank of Ireland. Registered Office: Bankcentre, Ballsbridge, Dublin 4. Tel: + 353 1 6600311; Registered in Ireland: Registered No. 24173. ~~~~~~~Please consider the environment before printing this Email~~~~~~~~ This email has been scanned by an external Email Security System. This Disclaimer has been generated by CMDis

7 years

3
10
0 / 0

Question about AD authentication and trusts

by Guy Knights

Hi, Can anyone confirm for me if SSSD supports authentication of users belonging to a trusted domain via an AD controller in the trusting domain? ie. A user attempts to log in as fred(a)test1.example.com on a client machine running SSSD, where SSSD has joined a domain test2.example.com and there is a 2-way forest trust between both domains. Is this supported? I've been trying to do so and so far it hasn't been working. For the record, my setup is: AD controller domain test1: Windows server 2012 R2 AD controller domain test2: Windows server 2012 R2 Ubuntu 14.04 client running SSSD 1.12.5 Thanks, Guy

7 years

3
2
0 / 0

Joining AD with adcli, strange error

by Joakim Tjernlund

The other day I tried to join a machine using adcli and during the join I got some strange error msg about not finding: _ldap._tcp.._sites.dc._msdcs.infinera.com Notice the .. between _tcp and _sites, this is not a valid DNS domain, how did this happen? Jocke

7 years, 1 month

3
10
0 / 0

full_name_format and supplemental groups

by Orion Poplawski

Running IPA with an AD trust. Users are in AD. Trying to use full_name_format = %1$s to strip the domain from user names. This appears to break supplemental groups in strange ways. On the IPA server: Without full_name_format: # id orion(a)ad.nwra.com uid=470202603(orion(a)ad.nwra.com) gid=470202603(orion(a)ad.nwra.com) groups=470202603(orion(a)ad.nwra.com),470200513(domain users(a)ad.nwra.com),470204703(pirep rd users(a)ad.nwra.com),470204714(wireless access@ad.nwra.com),470204715(nwra-users@ad.nwra.com),470204701(boulder(a)ad.nwra.com),470207608(heimdall users(a)ad.nwra.com),470200512(domain admins(a)ad.nwra.com),470207124(andreas admins(a)ad.nwra.com) With: # id orion(a)ad.nwra.com uid=470202603(orion) gid=470202603(orion) groups=470202603(orion) If I add: default_domain_suffix = ad.nwra.com # id orion uid=470202603(orion) gid=470202603(orion) groups=470202603(orion),470200512(domain admins),470207608(heimdall users),470204714(wireless access),470204715(nwra-users),470204701(boulder),470204703(pirep rd users),470207124(andreas admins),470200513(domain users) Which I guess makes some sense as you'd need to add the domain suffix back on to find the groups. But this appears to completely break IPA clients (with full_name_format = %1$s and default_domain_suffix = ad.nwra.com): # id orion(a)ad.nwra.com id: orion(a)ad.nwra.com: no such user # id orion id: orion: no such user >From looking at the server logs, it looks like only the IPA domain is searched If I reset the server back to normal (drop full_name_format and default_domain_suffix): # id orion uid=470202603(orion) gid=470202603(orion) groups=470202603(orion) I don't get any supplemental groups. I see sssd errors like: (Mon Mar 30 15:20:52 2015) [sssd[be[nwra.com]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Mon Mar 30 15:20:52 2015) [sssd[be[nwra.com]]] [sysdb_update_members_ex] (0x0020): Could not add member [orion] to group [name=domain admins,cn=groups,cn=nwra.com,cn=sysdb]. Skipping. Is t trying "cn=groups,cn=nwra.com,cn=sysdb" instead of "cn=groups,cn=ad.nwra.com,cn=sysdb" -- Orion Poplawski Technical Manager 303-415-9701 x222 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane orion(a)nwra.com Boulder, CO 80301 http://www.nwra.com

7 years, 1 month

3
7
0 / 0

Please help me, setting up smartcard auth against Active Directory

by niger niger

I seting up fedora (24), using wiki. https://fedorahosted.org/sssd/wiki/DesignDocs/SmartcardAuthenticationTest... Every thing going ok, and i can use login and password. But if i'll try to use smart card, nothing hapent in gdm logon screen. pkcs11-tool --module my_pkcs11_module.so --slot 0 --list-objects -l ask my pin, and after show my certs and keys /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2 --nssdb=/etc/pki/nssdb return public key of my cert. /etc/pam.d/smartcard-auth-ac auth sufficient pam_sss allow_missing_name in log, cant see any intresting about inserting my token.

7 years, 1 month

2
14
2 / 0

sssd_be[30807]: ldapdb_canonuser_plug_init() failed in sasl_canonuser_add_plugin(): invalid parameter supplied after upgrading packages

by Steffen Knauf

Hello, after upgrading sssd package from 1.13.0-40.el7_2.1 to 1.13.0-40.el7_2.9 and upgrading the cyrus-sasl Packages from 2.1.26-19.2.el7 to 2.1.26-20.el7_2 i got the following Message after restarting sssd: sssd_be[30849]: ldapdb_canonuser_plug_init() failed in sasl_canonuser_add_plugin(): invalid parameter supplied sssd_be[30849]: _sasl_plugin_load failed on sasl_canonuser_init for plugin: ldapdb I don't change any configuration in sssd.conf or saslauthd.conf. Setting the relevant debug_level = 9 in sssd.conf don't help, so perhaps can give me a hint? greets Steffen

7 years, 2 months

2
4
0 / 0

Using proxy for id_provider and ldap for auth_provider against AD

by Speagle, Andy

Hi Folks, I'm attempting to create a configuration whereby Active Directory is used via LDAP only to authenticate ONLY local users via a proxy id_provider using local files... this was the configuration that I was attempting: [sssd] config_file_version = 2 domains = <domain> services = nss, pam [nss] [pam] [domain/<domain>] debug_level = 9 id_provider = proxy auth_provider = ldap proxy_lib_name = files cache_credentials = true ldap_uri = <list,of,domain,controllers> ldap_id_use_start_tls = true ldap_tls_reqcert = allow ldap_default_bind_dn = <bind account> ldap_default_authtok = <bind sekrit> ldap_schema = ad ldap_search_base = <search base> -- It seems to be finding my entry just fine in /etc/passwd... but, it seems to be unable to perform the LDAP search... as I get back these sanitized results... showing that it can't find my user object... for some reason... (Thu Sep 22 16:12:39 2016) [sssd[be[<domain>]]] [sdap_search_user_next_base] (0x0400): Searching for users with base [<base>] (Thu Sep 22 16:12:39 2016) [sssd[be[<domain>]]] [sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&(sAMAccountName=<myuser>)(objectclass=user))][<base>]. (Thu Sep 22 16:12:39 2016) [sssd[be[<domain>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectclass] (Thu Sep 22 16:12:39 2016) [sssd[be[<domain>]]] [sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName] (Thu Sep 22 16:12:39 2016) [sssd[be[<domain>]]] [sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 2 (Thu Sep 22 16:12:39 2016) [sssd[be[<domain>]]] [sdap_process_result] (0x2000): Trace: sh[0xf49a70], connected[1], ops[0xf49400], ldap[0xf45cc0] (Thu Sep 22 16:12:39 2016) [sssd[be[<domain>]]] [sdap_process_result] (0x2000): Trace: ldap_result found nothing! (Thu Sep 22 16:12:39 2016) [sssd[be[<domain>]]] [sdap_process_result] (0x2000): Trace: sh[0xf49a70], connected[1], ops[0xf49400], ldap[0xf45cc0] (Thu Sep 22 16:12:39 2016) [sssd[be[<domain>]]] [sdap_process_message] (0x4000): Message type: [LDAP_RES_SEARCH_RESULT] (Thu Sep 22 16:12:39 2016) [sssd[be[<domain>]]] [sdap_get_generic_ext_done] (0x0400): Search result: Operations error(1), 000004DC: LdapErr: DSID-0C090752, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580 (Thu Sep 22 16:12:39 2016) [sssd[be[<domain>]]] [sdap_get_generic_ext_done] (0x0040): Unexpected result from ldap: Operations error(1), 000004DC: LdapErr: DSID-0C090752, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580 (Thu Sep 22 16:12:39 2016) [sssd[be[<domain>]]] [sdap_get_generic_done] (0x0100): sdap_get_generic_ext_recv failed [5]: Input/output error -- If I perform a manual ldapsearch ... using the parameters indicated in the "ldap_search_ext" call ... it works just fine. I've checked in the logs and I see that it marks the connection to the domain controller as "working" ... so, I'm not sure why sssd complains that a successful bind must be completed... that seems to have happened already... I'm running sssd version 1.11.7 ... Any ideas, folks? Thanks, Andy Speagle

7 years, 2 months

3
4
0 / 0

kerberos Key has expired

by Thomas Beaudry

Hi, I am using sssd to renew my kerberos keys every 2 minutes (I know this is short, but it's for testing to see if it actually works). I aslo set the lifetime of my kerberos tickets to 10 minutes. I verified that sssd is infact renewing the keys on the interval i specified, because when i "klist" i see the valid starting time change, however when i try to access the share it no longer works. Here is some output: tbeaudry@perf-hpc01:~$ date Thu Sep 29 10:19:29 EDT 2016 tbeaudry@perf-hpc01:~$ klist Ticket cache: FILE:/usr/krb5/creds/.krb5cache_1624330994 Default principal: tbeaudry(a)CONCORDIA.CA Valid starting Expires Service principal 2016-09-29 10:18:54 2016-09-29 10:28:54 krbtgt/CONCORDIA.CA(a)CONCORDIA.CA renew until 2016-10-06 10:12:54 tbeaudry@perf-hpc01:~$ cd ~ -bash: cd: /NAS/home/tbeaudry: Key has expired From my krb5.conf [libdefaults] default_realm = CONCORDIA.CA dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 10m renew_lifetime = 7d From my sssd.conf [domain/concordia.ca] ad_domain = concordia.ca krb5_realm = CONCORDIA.CA realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True #use_fully_qualified_names = True override_homedir = /NAS/home/%u fallback_homedir = /home/%u access_provider = ad debug_level=7 ignore_group_members=True krb5_renewable_lifetime = 7d krb5_renew_interval = 2m Thanks! Thomas

7 years, 2 months

5
7
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

sssd-users September 2016