[Freeipa-users] Is sssd currently useable with freeipa v2 ?
Oliver Burtchen
o.burtchen at gmx.de
Sun May 2 01:34:55 UTC 2010
Hi Stephen,
I nailed the problem now a little bit down. I think it's HBAC with it's empty
rules in the standard configuration. For me it was hard to recognize that it
prevents every user added with "ipa user-add" from logging in the server or
joined machines (via ssh or console). When I do a "ipa-client-install --on-
master --permit" everthing works fine. Without the "--permit" I always get a
access denied via pam-configuration.
Are there any documentations ready for reading/review for HBAC with freeipa?
At least it would be nice to have some short docu what is necessary. Could you
lead me a little bit?
And thanks for your explanation about the sssd and sssd12 branch/repo at
jdennis. It makes the difference very clear to me and I now use the sssd12 for
testing (just to calm down a little bit ;-) . Maybe a little readme.txt with
your explanation would be quite nice on the server, so other people don't have
to ask again.
Best regards,
Oli
Am Mittwoch, 21. April 2010 22:41:53 schrieb Stephen Gallagher:
> On 04/21/2010 02:53 PM, Oliver Burtchen wrote:
> > Hi Stephen,
> >
> > thanks for the answer. Yes, I used the ipa-client-install tool. But I had
first
> > patched in this fix
> >
> > https://www.redhat.com/archives/freeipa-devel/2010-April/msg00004.html
> >
> > from Rob to get 'join' working again. Well, living at the bleeding edge.
;-)
> >
> > I'll see if I can nail the problem down.
>
> You may find the debug logs in /var/log/sssd/. At their default settings
> (level 0) these logs will display only critical errors. But if you need
> more information, you can turn up the debug_level in the
> /etc/sssd/sssd.conf file and restart the SSSD. Then your debug logs will
> fill up fairly quickly.
>
> Btw., what's the difference between
> > the sssd and sssd12 repos at jdennis? What is the most recent one, whats
best
> > to use with the ipa-devel repo?
> >
>
> We split the development of 1.2 off into it's own branch. Builds from
> that branch are put into the sssd12 repo. We're aiming to release 1.2.0
> at the beginning of May. So that's the branch targeted towards our next
> public release. We did this so we could put the finishing touches on
> SSSD 1.2 while those of us who have completed their 1.2 tasks can move
> ahead.
>
> The sssd repo contains our more experimental changes (for example, the
> internal cache interface was completely rewritten). These are the
> changes that will be forthcoming in sssd 1.3 sometime this summer.
>
> So your choices are:
> sssd12: Stabilizing towards release
> sssd: Hang on for dear life(*)
>
>
>
> (*) I usually run on this branch - eating my own dogfood, as it were -
> though we make no guarantees that it won't break.
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users
>
--
Oliver Burtchen, Berlin
More information about the Freeipa-users
mailing list