[Freeipa-users] Configuring a Fedora 15 client to connect to a FreeIPA 1.2 server
Dan Scott
danieljamesscott at gmail.com
Tue Jun 21 15:58:50 UTC 2011
On Tue, Jun 21, 2011 at 11:37, Stephen Gallagher <sgallagh at redhat.com> wrote:
> On Tue, 2011-06-21 at 11:31 -0400, Dan Scott wrote:
>> Hi,
>>
>> On Tue, Jun 21, 2011 at 11:20, Stephen Gallagher <sgallagh at redhat.com> wrote:
>> > On Tue, 2011-06-21 at 11:06 -0400, Dan Scott wrote:
>> >> Hi,
>> >>
>> >> I'm still running a FreeIPA 1.2 server but have started installing
>> >> Fedora 15 clients and am trying to figure out how to manually setup
>> >> the Krb/LDAP configuration.
>> >>
>> >> I've run the 'authconfig-tui' command and manually setup Krb
>> >> authentication and LDAP authorisation, using DNS discovery for the
>> >> servers. The authentication is working correctly, but when I run 'id
>> >> $USERNAME' I don't receive the correct groups, so I believe that
>> >> Kerberos is working, but the LDAP configuration is wrong. I've turned
>> >> the sssd loglevel up to 100, but I can't figure out why I'm not
>> >> getting the correct groups
>> >>
>> >> My system has a variety of files and I'm not sure which are still in use:
>> >>
>> >> /etc/krb5.conf
>> >> /etc/pam_ldap.conf
>> >> /etc/sssd/sssd.conf
>> >>
>> >> On Fedora 14 and earlier, there used to be an '/etc/nss_ldap.conf' -
>> >> this is not present on F15.
>> >>
>> >> Can anyone help me figure out how to get the group lookups working?
>> >
>> >
>> > Probably you need to add ldap_schema=rfc2307bis into the
>> > [domain/default] section of /etc/sssd/sssd.conf.
>> >
>> > If you just set authconfig up as an LDAP server, it defaults to
>> > ldap_schema = rfc2307, which uses a different attribute on the server to
>> > contain group memberships.
>>
>> Thanks, but I've tried both of those entries - it doesn't appear to
>> make any difference.
>>
>> Dan
>
>
> Could you attach your
> (sanitized) /etc/sssd/sssd.conf, /etc/krb5.conf, /etc/nsswitch.conf
> and /etc/pam.d/system-auth?
Attached, thanks. The only changes are domain names and 'dc=*' entries.
One thing that I just noticed, the system-auth file has pam_krb5.so
entries, previously, these were pam_sss.so - I've tried using both,
but neither appears to work.
Thanks,
Dan
-------------- next part --------------
A non-text attachment was scrubbed...
Name: nsswitch.conf
Type: application/octet-stream
Size: 1735 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110621/35527e32/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: system-auth
Type: application/octet-stream
Size: 1196 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110621/35527e32/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: krb5.conf
Type: application/octet-stream
Size: 320 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110621/35527e32/attachment-0002.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: sssd.conf
Type: application/octet-stream
Size: 3857 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110621/35527e32/attachment-0003.obj>
More information about the Freeipa-users
mailing list