On Thu, Jan 5, 2023 at 12:29 PM tizo wrote:
>
> On Thu, Jan 5, 2023 at 9:48 AM tizo wrote:
> >
> > > Hi,
> > >
> > > it looks like if the client is talking to 10.2.100.11 it is
> > > working as expected but with 10.12.100.1 it fails. Are there any details
> > > in the logs of those servers?
> > >
On Thu, Jan 5, 2023 at 9:48 AM tizo wrote:
>
> > Hi,
> >
> > it looks like if the client is talking to 10.2.100.11 it is
> > working as expected but with 10.12.100.1 it fails. Are there any details
> > in the logs of those servers?
> >
> > bye,
> > Sumit
> >
>
> I couldn't find anything related on
> Hi,
>
> it looks like if the client is talking to 10.2.100.11 it is
> working as expected but with 10.12.100.1 it fails. Are there any details
> in the logs of those servers?
>
> bye,
> Sumit
>
I couldn't find anything related on those server logs. They are the
Samba servers.
Maybe it is a fire
>
> Hi,
>
> 'Decrypt integrity check failed' typically means that the wrong
> Kerberos password or key was used. Since you are using FAST it might
> either be the user password the user is typing in or the host key which
> was used to setup the FAST tunnel. Was the host key updated shortly
> before
We have an IPA-AD trust up and running. The IPA domain is
idm.fnr.gub.uy and the AD (Samba) domain is smb.fnr.gub.uy. Our users
belong to AD.
We have a couple of Ubuntu 22.04 IPA clients configured. In the first
one, all works like a charm, and AD users can login without problems.
In the second on
This issue is solved in Samba 4.16.4. Thanks very much Sumit for your
work solving it with the Samba team!
On Tue, May 17, 2022 at 1:55 PM tizo wrote:
>
> Is there anything else I can do to help with this issue?. I am willing
> to create a whole new test environment from scratch if it is needed.
Is there anything else I can do to help with this issue?. I am willing
to create a whole new test environment from scratch if it is needed.
Thanks very much.
On Wed, May 11, 2022 at 5:04 PM tizo wrote:
>
> On Tue, May 3, 2022 at 11:29 AM tizo wrote:
> >
> > On Tue, May 3, 2022 at 9:18 AM tizo
On Tue, May 3, 2022 at 11:29 AM tizo wrote:
>
> On Tue, May 3, 2022 at 9:18 AM tizo wrote:
> >
> > On Tue, May 3, 2022 at 2:43 AM Sumit Bose wrote:
> > >
> > > Am Mon, May 02, 2022 at 03:15:05PM -0300 schrieb tizo:
> > > > On Mon, May 2, 2022 at 2:36 PM Sumit Bose wrote:
> > > > >
> > > > > Am
On Tue, May 3, 2022 at 9:18 AM tizo wrote:
>
> On Tue, May 3, 2022 at 2:43 AM Sumit Bose wrote:
> >
> > Am Mon, May 02, 2022 at 03:15:05PM -0300 schrieb tizo:
> > > On Mon, May 2, 2022 at 2:36 PM Sumit Bose wrote:
> > > >
> > > > Am Mon, May 02, 2022 at 12:32:34PM -0300 schrieb tizo:
> > > > > O
On Tue, May 3, 2022 at 2:43 AM Sumit Bose wrote:
>
> Am Mon, May 02, 2022 at 03:15:05PM -0300 schrieb tizo:
> > On Mon, May 2, 2022 at 2:36 PM Sumit Bose wrote:
> > >
> > > Am Mon, May 02, 2022 at 12:32:34PM -0300 schrieb tizo:
> > > > On Mon, May 2, 2022 at 11:56 AM Sumit Bose wrote:
> > > > >
On Mon, May 2, 2022 at 2:36 PM Sumit Bose wrote:
>
> Am Mon, May 02, 2022 at 12:32:34PM -0300 schrieb tizo:
> > On Mon, May 2, 2022 at 11:56 AM Sumit Bose wrote:
> > >
> > > Am Mon, May 02, 2022 at 11:39:40AM -0300 schrieb tizo:
> > > > > Hi,
> > > > >
> > > > > thanks, at least I received your e
On Mon, May 2, 2022 at 11:56 AM Sumit Bose wrote:
>
> Am Mon, May 02, 2022 at 11:39:40AM -0300 schrieb tizo:
> > > Hi,
> > >
> > > thanks, at least I received your email. Can you run the tests with
> > > "krb5_use_fast = never" and "krb5_use_enterprise_principal = True" again
> > > but with 'debug
> Hi,
>
> thanks, at least I received your email. Can you run the tests with
> "krb5_use_fast = never" and "krb5_use_enterprise_principal = True" again
> but with 'debug_level = 9' in the [domain/...] section of sssd.conf.
> This will add some additional information into krb5_child.log which
> migh
>
> Hi,
>
> can you try if adding
>
> krb5_use_enterprise_principal = True
>
> help? If not, please send full SSSD logs (everything in /var/log/sssd)
> next time.
>
> bye,
> Sumit
>
Hi and thanks Sumit. I have just realized that the response that I
sent on Friday with all the logs and differen
I would really appreciate any kind of help here. I don't know how I
could go ahead with this issue, and it's the last one before going
into production.
Thanks very much!.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscri
On Mon, Apr 25, 2022 at 12:23 PM tizo wrote:
>
> > Hi,
> >
> > thanks for the logs. The issue does not happen during Kerberos ticket
> > validation, as I thought but while trying to establish the FAST tunnel.
> >
> > There should be two way to solve this. The first is setting
> >
> > krb5_use_
> Hi,
>
> thanks for the logs. The issue does not happen during Kerberos ticket
> validation, as I thought but while trying to establish the FAST tunnel.
>
> There should be two way to solve this. The first is setting
>
> krb5_use_fast = never
>
> in the [domain/...] section of sssd.conf on eve
> Hi,
>
> this is still the same pattern. Would it be possible to get a network
> trace to better understand how the KDC reply looks like and what might
> not be as expected by libkrb5?
>
> Additionally, can you try to set the password for the user with the
> expired password with
>
> KRB5_TRAC
>
> I have applied your 4 steps solution (instead of clearing the caches in
> the fifth step, I just rebooted the IPA server), and it looks good so far.
> I will do some more tests during the following days, and then will post the
> results.
>
>
Works great!. Thanks very much!.
Thanks very much for your response Sumit.
> Why do you not add the fileserver to the IPA DNS domain and only join to
> IPA? AD user should be able to access it due to the trust with IPA.
>
>
>
Because the file server is also a file server for Windows users, ie, it's
joined to AD domain (and afaik
On Wed, Dec 15, 2021 at 10:24 AM tizo wrote:
> Just another problem of my lab about IPA trusting AD (but very close to
> the end). We have this trust relation between IPA and AD. The IPA server is
> installed on a Rocky Linux 8, and its domain is idmpru.xx.xx. The AD server
> is a Samba AD DC 4.1
> Do your AD users in question belong to any IPA groups?
>>
>
No, they didn't. They do now.
>> Your symptoms are very similar to the following post:
>>
>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/VHTB3GR65L77SS7CS5H4GWHRMBIKQWXP/
>>
>>
I have applie
Just another problem of my lab about IPA trusting AD (but very close to the
end). We have this trust relation between IPA and AD. The IPA server is
installed on a Rocky Linux 8, and its domain is idmpru.xx.xx. The AD server
is a Samba AD DC 4.14 installed on a Rocky Linux 8 too, and its domain is
a
oup that was then mapped into an IPA POSIX group. I suppose you
> could adjust the cache lifetime on the client vs. our method, but
> you'd still run into the issue of expired entries eventually, which
> still wouldn't fix the issue.
>
> HTH,
> John DeSantis
>
>
Anyone please?. I don't really know how to fix this. Thanks.
On Thu, Dec 9, 2021 at 11:20 AM tizo wrote:
> The scenario is an IPA with an AD trust. The users belong to AD. IPA is a
> Rocky Linux 8, and AD is a Samba 4.14.10 over Rocky Linux 8 too.
>
> We have a couple of IPA host clients to test
The scenario is an IPA with an AD trust. The users belong to AD. IPA is a
Rocky Linux 8, and AD is a Samba 4.14.10 over Rocky Linux 8 too.
We have a couple of IPA host clients to test. One is another Rocky Linux 8,
and the other is an Ubuntu 20.04. Everything works fine: AD users can login
into th
On Fri, Dec 3, 2021 at 10:18 AM tizo wrote:
> We have a test environment with a FreeIPA server with a cross forest trust
> with an AD (that is in fact a Samba AD DC). Both servers are Rocky Linux 8.
>
> Everything works fine when we try to login to the FreeIPA server with an
> AD user (and with I
We have a test environment with a FreeIPA server with a cross forest trust
with an AD (that is in fact a Samba AD DC). Both servers are Rocky Linux 8.
Everything works fine when we try to login to the FreeIPA server with an AD
user (and with IPA users too). However, in another Rocky Linux 8 acting
28 matches
Mail list logo
