Hi,
I have RH's version of freeipa (ipa-server-4.9.2-3.module+el8.4.0+10412+5ecb5b37.x86_64) working fine. RHEL8, RHEL7, Debian10.9, Ubuntu20LTS and Centos7 clients work perfectly OK to IPA OK for users in IPA..
For the cross domain trust however only RHEL8 and RHEL7 work. Debian10.9, Ubuntu20LTS and Centos7 fail for the AD user who cannot ssh in..
Is there any config I need to do to get 3rd party Linux to work with a trust? Just wondering if I have missed a package? config? steps?
or does it just not work?
rhel7 secure log showing success,
8><---- Jun 9 16:40:55 rhel7a sshd[9339]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=v1.ods.vuw.ac.nz user=linuxuser2@vuwtest.ac.nz Jun 9 16:41:04 rhel7a sshd[9336]: Accepted keyboard-interactive/pam for linuxuser2@vuwtest.ac.nz from 10.100.32.67 port 48 Jun 9 16:41:04 rhel7a sshd[9336]: pam_unix(sshd:session): session opened for user linuxuser2@vuwtest.ac.nz by (uid=0) [root@rhel7a ~]# 8><---
centos7 secure log,
8><--- [root@centos7a ~]# tail -50f /var/log/secure Jun 9 17:15:24 centos7a sshd[1812]: Invalid user linuxuser2@vuwtest.ac.nz from 10.100.32.67 port 53880 Jun 9 17:15:24 centos7a sshd[1812]: input_userauth_request: invalid user linuxuser2@vuwtest.ac.nz [preauth] Jun 9 17:15:24 centos7a sshd[1812]: Postponed keyboard-interactive for invalid user linuxuser2@vuwtest.ac.nz from 10.100.32.67 port 53880 ssh2 [preauth] Jun 9 17:15:35 centos7a sshd[1814]: pam_unix(sshd:auth): check pass; user unknown Jun 9 17:15:35 centos7a sshd[1814]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.100.32.67 Jun 9 17:15:37 centos7a sshd[1812]: error: PAM: User not known to the underlying authentication module for illegal user linuxuser2@vuwtest.ac.nz from 10.100.32.67 Jun 9 17:15:37 centos7a sshd[1812]: Failed keyboard-interactive/pam for invalid user linuxuser2@vuwtest.ac.nz from 10.100.32.67 port 53880 ssh2 Jun 9 17:15:37 centos7a sshd[1812]: Postponed keyboard-interactive for invalid user linuxuser2@vuwtest.ac.nz from 10.100.32.67 port 53880 ssh2 [preauth]
On 09/06/2021 13:20, thing.thing@gmail.com wrote:
I have RH's version of freeipa (ipa-server-4.9.2-3.module+el8.4.0+10412+5ecb5b37.x86_64) working fine. RHEL8, RHEL7, Debian10.9, Ubuntu20LTS and Centos7 clients work perfectly OK to IPA OK for users in IPA..
For the cross domain trust however only RHEL8 and RHEL7 work. Debian10.9, Ubuntu20LTS and Centos7 fail for the AD user who cannot ssh in..
Is there any config I need to do to get 3rd party Linux to work with a trust? Just wondering if I have missed a package? config? steps?
May I suggest you post/ask on the dedicated freeipa list?
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahost...
I thought I did, sorry. This platform isnt very clear where you are :(
On Wed, 2021-06-09 at 19:28 +0000, thing.thing@gmail.com wrote:
I thought I did, sorry. This platform isnt very clear where you are :(
You thought you did what? If you reply on HyperKitty there's no context unless you explicitly quote it.
poc
On 10/06/2021 05:00, Patrick O'Callaghan wrote:
On Wed, 2021-06-09 at 19:28 +0000, thing.thing@gmail.com wrote:
I thought I did, sorry. This platform isnt very clear where you are :(
You thought you did what? If you reply on HyperKitty there's no context unless you explicitly quote it.
Lucky for me T-Bird sorts threads based on subject as well as header information. Doesn't Evolution?
Oh, he thought he posted on the freeIPA list.
09.06.21, 23:40 +0200, Ed Greshko:
On 10/06/2021 05:00, Patrick O'Callaghan wrote:
On Wed, 2021-06-09 at 19:28 +0000, thing.thing@gmail.com wrote:
I thought I did, sorry. This platform isnt very clear where you are :(
You thought you did what? If you reply on HyperKitty there's no context unless you explicitly quote it.
Lucky for me T-Bird sorts threads based on subject as well as header information. Doesn't Evolution?
In this particular case no threading based on subject is necessary, since thing.thing's reply contains usable "In-Reply-To" and "References" header fields.
On 10/06/2021 06:14, Markus Schönhaber wrote:
09.06.21, 23:40 +0200, Ed Greshko:
On 10/06/2021 05:00, Patrick O'Callaghan wrote:
On Wed, 2021-06-09 at 19:28 +0000, thing.thing@gmail.com wrote:
I thought I did, sorry. This platform isnt very clear where you are :(
You thought you did what? If you reply on HyperKitty there's no context unless you explicitly quote it.
Lucky for me T-Bird sorts threads based on subject as well as header information. Doesn't Evolution?
In this particular case no threading based on subject is necessary, since thing.thing's reply contains usable "In-Reply-To" and "References" header fields.
Good point. I had seen, probably too long ago, cases where HyperKitty had missed some headers. I should have looked and not "assumed".
Thanks.
Patrick O'Callaghan
You thought you did what? If you reply on HyperKitty there's no context unless you explicitly quote it.
Ed Greshko:
Lucky for me T-Bird sorts threads based on subject as well as header information. Doesn't Evolution?
It does. I'm using it.
Though he's right that replies should give an unmistakeable clue about what's being replied to. It makes it far easier to understand if you don't have to find a prior message to understand it. And some people delete old messages, especially when they're inundated with hundreds each day.
On Evolution, I have it only showing the last 5 day's worth. If it were easily customisable, I might narrow it down to 3 day's worth.
Back when I did usenet using Forte Agent, I recall doing something similar, with it auto-deleting cached messages that were a couple of weeks old. At least with usenet, you could very easily re-fetch an older uncached message (you still saw the headers, you just didn't have any cached body content for them).
On 10/06/2021 11:15, Tim via users wrote:
Though he's right that replies should give an unmistakeable clue about what's being replied to. It makes it far easier to understand if you don't have to find a prior message to understand it. And some people delete old messages, especially when they're inundated with hundreds each day.
I get a few hundred message a day. I use filters to folders which makes my life easier when people don't do what "I" think they should. :-) :-)
I keep 15 days of list emails locally. Just for those times where there are long threads. Even now the User's folder only has 202 emails in it. And it isn't as if I lack disk space, but still.
On Evolution, I have it only showing the last 5 day's worth. If it were easily customisable, I might narrow it down to 3 day's worth.
T-Bird has a nice "Retention Policy" on a per folder basis.
Back when I did usenet using Forte Agent, I recall doing something similar, with it auto-deleting cached messages that were a couple of weeks old. At least with usenet, you could very easily re-fetch an older uncached message (you still saw the headers, you just didn't have any cached body content for them).
If someone posts a reply to messages which hss been deleted and I can't divine what is being said I do one of 2 things. I either ignore it (especially if I'm weak on the subject). Or, I go to the archives. My browser has a bookmark to them so it isn't too much trouble.
Tim:
On Evolution, I have it only showing the last 5 day's worth. If it were easily customisable, I might narrow it down to 3 day's worth.
Ed Greshko:
T-Bird has a nice "Retention Policy" on a per folder basis.
Evolution does have retention options, where old messages can be deleted or archived if they're so-many days/weeks/months old, but the filtering (what you see by default) per folder is a less flexible.
Over the years I've tried various clients, but they all suck very badly at replying. Specifically, the mangling of quotes, and how well it'll let you manually unmangle them. Forte Agent was the only client I've come across that would edit properly like you were using a word processor, and understand not to mangle up the greater-than signs being used as quote prefixes into the middle of the text. Evolution was the least-worst mail clients out of the Linux ones I've tried. Thunderbird does a lot of weird stuff I just do not like.
This is an ugly manglification of your text that shouldn't happen, and software should have been written to handle it better decades ago, that I usually hand re-wrap, but I'm leaving it as an example:
If someone posts a reply to messages which hss been deleted and I can't divine what is being said I do one of 2 things. I either ignore it (especially if I'm weak on the subject). Or, I go to the archives. My browser has a bookmark to them so it isn't too much trouble.
I'll just ignore it. If I have to fire up a browser and go searching for it, it's too much effort. I won't be the only one who does that. So people who make it hard to follow their messages are only shooting themselves in the foot.
On Thu, 2021-06-10 at 05:40 +0800, Ed Greshko wrote:
On 10/06/2021 05:00, Patrick O'Callaghan wrote:
On Wed, 2021-06-09 at 19:28 +0000, thing.thing@gmail.com wrote:
I thought I did, sorry. This platform isnt very clear where you are :(
You thought you did what? If you reply on HyperKitty there's no context unless you explicitly quote it.
Lucky for me T-Bird sorts threads based on subject as well as header information. Doesn't Evolution?
Of course it does, but not everyone keeps threads around or has them permanently visible once read. Quoting is useful to get an idea of what the comment is about without having to look for the post being replied to.
poc
On 10/06/2021 17:35, Patrick O'Callaghan wrote:
On Thu, 2021-06-10 at 05:40 +0800, Ed Greshko wrote:
On 10/06/2021 05:00, Patrick O'Callaghan wrote:
On Wed, 2021-06-09 at 19:28 +0000, thing.thing@gmail.com wrote:
I thought I did, sorry. This platform isnt very clear where you are :(
You thought you did what? If you reply on HyperKitty there's no context unless you explicitly quote it.
Lucky for me T-Bird sorts threads based on subject as well as header information. Doesn't Evolution?
Of course it does, but not everyone keeps threads around or has them permanently visible once read. Quoting is useful to get an idea of what the comment is about without having to look for the post being replied to.
Oh, Tim had said "If it were easily customisable, I might narrow it down to 3 day's worth". So I was wondering about it.
FWIW, my memory is still fairly good. I never recalled thing.thing posting to this list. So, to me, it didn't make much sense to be admonishing them. Kinda like responding to list spam. Just a waste of keystrokes. :-)
And, when will I ever follow the advice in my signature?
On Thu, 2021-06-10 at 17:59 +0800, Ed Greshko wrote:
FWIW, my memory is still fairly good. I never recalled thing.thing posting to this list. So, to me, it didn't make much sense to be admonishing them. Kinda like responding to list spam. Just a waste of keystrokes. :-)
Perhaps not as good as you think Ed. The original post is:
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org/...
poc
On 10/06/2021 18:24, Patrick O'Callaghan wrote:
On Thu, 2021-06-10 at 17:59 +0800, Ed Greshko wrote:
FWIW, my memory is still fairly good. I never recalled thing.thing posting to this list. So, to me, it didn't make much sense to be admonishing them. Kinda like responding to list spam. Just a waste of keystrokes. :-)
Perhaps not as good as you think Ed. The original post is:
https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org/...
Ah, I was referring to prior to June 9th, if that wasn't obvious. Besides, I was the one to have responded to him about posting to the freeIPA list. So......
debian auth log errors
Jun 14 13:33:36 debian10-test1 sshd[14476]: Failed keyboard-interactive/pam for invalid user linuxuser2@vuwtest.ac.nz from 1 0.120.248.104 port 61903 ssh2 Jun 14 13:33:36 debian10-test1 sshd[14476]: Postponed keyboard-interactive for invalid user linuxuser2@vuwtest.ac.nz from 10 .120.248.104 port 61903 ssh2 [preauth] Jun 14 13:33:40 debian10-test1 sshd[14479]: pam_unix(sshd:auth): check pass; user unknown Jun 14 13:33:40 debian10-test1 sshd[14479]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser = rhost=10.120.248.104 Jun 14 13:33:40 debian10-test1 sshd[14479]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.120.248.104 user=linuxuser2@vuwtest.ac.nz Jun 14 13:33:40 debian10-test1 sshd[14479]: pam_sss(sshd:auth): received for user linuxuser2@vuwtest.ac.nz: 10 (User not kno wn to the underlying authentication module) Jun 14 13:33:42 debian10-test1 sshd[14476]: error: PAM: Authentication failure for illegal user linuxuser2@vuwtest.ac.nz fro m 10.120.248.104 Jun 14 13:33:42 debian10-test1 sshd[14476]: Failed keyboard-interactive/pam for invalid user linuxuser2@vuwtest.ac.nz from 1 0.120.248.104 port 61903 ssh2 Jun 14 13:33:42 debian10-test1 sshd[14476]: Postponed keyboard-interactive for invalid user linuxuser2@vuwtest.ac.nz from 10 .120.248.104 port 61903 ssh2 [preauth] Jun 14 13:33:50 debian10-test1 sshd[14476]: Connection closed by invalid user linuxuser2@vuwtest.ac.nz 10.120.248.104 port 6 1903 [preauth]
On 14/06/2021 09:45, thing.thing@gmail.com wrote:
Wrong list again? :-)
debian auth log errors
Jun 14 13:33:36 debian10-test1 sshd[14476]: Failed keyboard-interactive/pam for invalid user linuxuser2@vuwtest.ac.nz from 1 0.120.248.104 port 61903 ssh2 Jun 14 13:33:36 debian10-test1 sshd[14476]: Postponed keyboard-interactive for invalid user linuxuser2@vuwtest.ac.nz from 10 .120.248.104 port 61903 ssh2 [preauth] Jun 14 13:33:40 debian10-test1 sshd[14479]: pam_unix(sshd:auth): check pass; user unknown Jun 14 13:33:40 debian10-test1 sshd[14479]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser = rhost=10.120.248.104 Jun 14 13:33:40 debian10-test1 sshd[14479]: pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.120.248.104 user=linuxuser2@vuwtest.ac.nz Jun 14 13:33:40 debian10-test1 sshd[14479]: pam_sss(sshd:auth): received for user linuxuser2@vuwtest.ac.nz: 10 (User not kno wn to the underlying authentication module) Jun 14 13:33:42 debian10-test1 sshd[14476]: error: PAM: Authentication failure for illegal user linuxuser2@vuwtest.ac.nz fro m 10.120.248.104 Jun 14 13:33:42 debian10-test1 sshd[14476]: Failed keyboard-interactive/pam for invalid user linuxuser2@vuwtest.ac.nz from 1 0.120.248.104 port 61903 ssh2 Jun 14 13:33:42 debian10-test1 sshd[14476]: Postponed keyboard-interactive for invalid user linuxuser2@vuwtest.ac.nz from 10 .120.248.104 port 61903 ssh2 [preauth] Jun 14 13:33:50 debian10-test1 sshd[14476]: Connection closed by invalid user linuxuser2@vuwtest.ac.nz 10.120.248.104 port 6 1903 [preauth] _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-leave@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
-
Ed Greshko -
Markus Schönhaber -
Patrick O'Callaghan -
thing.thing@gmail.com -
Tim