[Freeipa-users] Configuring a Fedora 15 client to connect to a FreeIPA 1.2 server
Stephen Gallagher
sgallagh at redhat.com
Tue Jun 21 18:19:07 UTC 2011
On Tue, 2011-06-21 at 11:58 -0400, Dan Scott wrote:
> On Tue, Jun 21, 2011 at 11:37, Stephen Gallagher <sgallagh at redhat.com> wrote:
> > On Tue, 2011-06-21 at 11:31 -0400, Dan Scott wrote:
> >> Hi,
> >>
> >> On Tue, Jun 21, 2011 at 11:20, Stephen Gallagher <sgallagh at redhat.com> wrote:
> >> > On Tue, 2011-06-21 at 11:06 -0400, Dan Scott wrote:
> >> >> Hi,
> >> >>
> >> >> I'm still running a FreeIPA 1.2 server but have started installing
> >> >> Fedora 15 clients and am trying to figure out how to manually setup
> >> >> the Krb/LDAP configuration.
> >> >>
> >> >> I've run the 'authconfig-tui' command and manually setup Krb
> >> >> authentication and LDAP authorisation, using DNS discovery for the
> >> >> servers. The authentication is working correctly, but when I run 'id
> >> >> $USERNAME' I don't receive the correct groups, so I believe that
> >> >> Kerberos is working, but the LDAP configuration is wrong. I've turned
> >> >> the sssd loglevel up to 100, but I can't figure out why I'm not
> >> >> getting the correct groups
> >> >>
> >> >> My system has a variety of files and I'm not sure which are still in use:
> >> >>
> >> >> /etc/krb5.conf
> >> >> /etc/pam_ldap.conf
> >> >> /etc/sssd/sssd.conf
> >> >>
> >> >> On Fedora 14 and earlier, there used to be an '/etc/nss_ldap.conf' -
> >> >> this is not present on F15.
> >> >>
> >> >> Can anyone help me figure out how to get the group lookups working?
> >> >
> >> >
> >> > Probably you need to add ldap_schema=rfc2307bis into the
> >> > [domain/default] section of /etc/sssd/sssd.conf.
> >> >
> >> > If you just set authconfig up as an LDAP server, it defaults to
> >> > ldap_schema = rfc2307, which uses a different attribute on the server to
> >> > contain group memberships.
> >>
> >> Thanks, but I've tried both of those entries - it doesn't appear to
> >> make any difference.
> >>
> >> Dan
> >
> >
> > Could you attach your
> > (sanitized) /etc/sssd/sssd.conf, /etc/krb5.conf, /etc/nsswitch.conf
> > and /etc/pam.d/system-auth?
>
> Attached, thanks. The only changes are domain names and 'dc=*' entries.
>
> One thing that I just noticed, the system-auth file has pam_krb5.so
> entries, previously, these were pam_sss.so - I've tried using both,
> but neither appears to work.
>
> Thanks,
>
> Dan
Your /etc/nsswitch.conf is wrong. I just noticed that you were using
authconfig-tui which is deprecated upstream and does not properly set up
SSSD. Only 'authconfig' (command-line) or 'authconfig-gtk' (GUI) works
properly. Feel free to file a bug against authconfig.
/etc/nsswitch.conf needs to specify 'sss' instead of 'ldap' to use SSSD.
Similarly system-auth needs to use pam_sss.so, not pam_krb5.so.
If you run 'authconfig --enablesssd --enablesssdauth --update' you
should be fine. This will update the config files with the correct
SSSD-related settings.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20110621/e0d4a37d/attachment.sig>
More information about the Freeipa-users
mailing list