[Freeipa-users] Re: Access denied for uid [389]

Mon, 15 Aug 2022 03:27:58 -0700 


On 15/08/2022 06:16, Sumit Bose wrote:

Am Sun, Aug 14, 2022 at 04:34:30PM +0100 schrieb lejeczek via FreeIPA-users:

Hi guys.

Domain seems to function okey, 'healthcheck' reports no issues, but these
begin to worry me, from sssd_pac.log
...
(2022-08-14 16:19:52): [pac] [accept_fd_handler] (0x0020): Access denied for
uid [389].
    *  ... skipping repetitive backtrace ...
(2022-08-14 16:19:54): [pac] [accept_fd_handler] (0x0020): Access denied for
uid [389].
    *  ... skipping repetitive backtrace ...
(2022-08-14 16:19:54): [pac] [accept_fd_handler] (0x0020): Access denied for
uid [389].
    *  ... skipping repetitive backtrace ...
(2022-08-14 16:20:00): [pac] [accept_fd_handler] (0x0020): Access denied for
uid [389].

Hi,

you can allow 389ds to send the PAC to SSSD by setting

    allowed_uids = 0, 389

in the [pac] section of sssd.conf, see man sssd.conf for details.

SSSD can use the PAC to determine group-memberships of a user and since
we do not want that any process can tinker with the group-memberships we
allow access only from "trusted" UIDs.

Okey,. so is the fact that it's dirsrv itself wants 
something which makes SSSD not happy,  is "abnormal", 
unexpected and dirsrv is not such "trusted" process/id?
I'm not dong anything fancy - it's a "standard" deployment 
with Samba.


many thanks, L.


HTH

bye,
Sumit


and this log is quite busy.
What is that symptom of and should that be a worry?

many thanks, L.
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue






















					Reply via email to