[Freeipa-users] sssd issues
Jakub Hrozek
jhrozek at redhat.com
Tue Aug 16 14:29:30 UTC 2011
On Tue, Aug 16, 2011 at 03:56:48PM +0200, Ondrej Valousek wrote:
> Hi list,
> Ok here is the list of issues I discovered while configuring sssd against Win2008 AD & rfc2307bis schema:
> 1. If I specify both dns_discovery_domain and ldap_uri parameters
> then what happens is that dns srv discovery returns a list of ldap
> servers. Now if the first one found is not working, others are not
> tried. I have to comment out the 'ldap_uri' parameter to make it
> working correctly.
Can you paste how exactly the ldap_uri line looks? I presume you would
like to try the service discovery first and if that fails, fall back to
a hardcoded hostname. In that case, ldap_uri should say:
ldap_uri = _srv_, adserver.example.com
That should work.
>
> 2. SSSD is unable to detect default Kerberos realm as per /etc/krb5.conf - I have to configure it manually
>
> 3. Why do we actually need to specify Kerberos realm and KDC? Isn't /etc/krb5.conf supposed to record these kind of parameters?
I think this has both historical (we used to say you don't need
/etc/krb5.conf at all with SSSD) and practical reasons - there can be more
SSSD domains with different realms and KDCs at the same time.
> 4. authconfig is unable to configure sssd to use IPA backend provider
>
This was supposedly done to avoid people using authconfig-gtk to
configure clients against IPAv1, but I don't remember the exact reason.
Maybe someone else does?
More information about the Freeipa-users
mailing list