Ineligible for postdating
Regarding a 2 hour lookback test: Without even setting it any differently, using the "Show Alert In Dashboard" button, I obtain a list of records that should have been alerted on and weren't.My past attempt results are the same, it doesn't matter how many times I have the alert look-back at these records - there are some that just won't alert and some that it alerts on every time. NET [kdc] profile = /var/kerberos/krb5kdc/[appdefaults] pam = Now it is a good idea to add your domain controller to your change: workgroup = EDMONSON add: realm = EDMONSON. NET change: server string = Linux Samba File Server change: security = ADS change: encrypt passwords = yes change: preferred master = no add: template shell = /bin/false add: template homedir = /home/%D/%U add: idmap uid = 10000-20000 add: idmap gid = 10000-20000 add: enhanced browsing = no add: winbind use default domain = yes Now you need to enable extended Access Control Lists (ACLs) on the filesystem that you will be using.I cheated a little and did the following to quickly create mine: That should give you a directory for every user with them having full control of that directory. TEST libads/kerberos.c:333(ads_kinit_password) kerberos_kinit_password [email protected] To definitely solve this problem you need to update samba package to version samba-3.5.10-114.el6 that contains a fix for this problem and a lot of other improvements.
You also shouldn't need to define the [realms] manually as you have dns_lookup_realm and dns_lookup_kdc specified. the main issue with i was getting that initial error is that the service account created in AD was wrong. Here is my config file; [[email protected] home]# cat /etc/sssd/[sssd] services = nss, pam, ssh config_file_version = 2 domains = MYDOMAIN. LCL] id_provider = ad --------- and krb5[[email protected] home]# cat /etc/krb5[logging] default = FILE:/var/log/krb5kdc = FILE:/var/log/krb5admin_server = FILE:/var/log/[libdefaults] default_realm = MYDOMAIN.LCL' over rpc: Logon failure Sep 5 Redhat01 winbindd: [2014/09/05 .636313, 0] winbindd/winbindd.c:240(winbindd_sig_term_handler) Sep 5 Redhat01 winbindd: Got sig terminate (is_parent=1) Sep 5 Redhat01 winbindd: [2014/09/05 .186900, 0] winbindd/winbindd_dual.c:926(calculate_next_machine_pwd_change) Sep 5 Redhat01 winbindd: cannot fetch own machine password ???? and also ensure you don't have firewalls running (until AD steps are validated) As a side note, is there a technical reason you chose not to use SSSD? The go-to document for SSSD is really this one: https://access.redhat.com/articles/216933 Which is the same document you have referred to above.ads_connect for domain MYDOMAIN failed: Cannot read password Sep 5 Redhat01 winbindd: [2014/09/05 .660704, 0] winbindd/winbindd.c:240(winbindd_sig_term_handler) Sep 5 Redhat01 winbindd: Got sig terminate (is_parent=1) Sep 5 Redhat01 winbindd: [2014/09/05 .418863, 0] winbindd/winbindd_dual.c:926(calculate_next_machine_pwd_change) Sep 5 Redhat01 winbindd: cannot fetch own machine password ???? Configuration 3 at section 6.3 on page 56 explains using SSSD.NL just seems to be skipping records that meet the query criteria when it is time to send the alerts, even if the very same record appears in the "Show Alerts in Dashboard" test.
Is there some minimal criteria that a record has to meet to get sent as an alert - besides just meeting the query criteria?I would like to limit this to let`s say only " Linux-Administrators" and " Linux-Application Owner" groups can login to servers?