[Freeipa-users] Configuring a Fedora 15 client to connect to a FreeIPA 1.2 server
Dan Scott
danieljamesscott at gmail.com
Tue Jun 21 18:41:19 UTC 2011
On Tue, Jun 21, 2011 at 14:19, Stephen Gallagher <sgallagh at redhat.com> wrote:
> On Tue, 2011-06-21 at 11:58 -0400, Dan Scott wrote:
>> On Tue, Jun 21, 2011 at 11:37, Stephen Gallagher <sgallagh at redhat.com> wrote:
>> > On Tue, 2011-06-21 at 11:31 -0400, Dan Scott wrote:
>> >> Hi,
>> >>
>> >> On Tue, Jun 21, 2011 at 11:20, Stephen Gallagher <sgallagh at redhat.com> wrote:
>> >> > On Tue, 2011-06-21 at 11:06 -0400, Dan Scott wrote:
>> >> >> Hi,
>> >> >>
>> >> >> I'm still running a FreeIPA 1.2 server but have started installing
>> >> >> Fedora 15 clients and am trying to figure out how to manually setup
>> >> >> the Krb/LDAP configuration.
>> >> >>
>> >> >> I've run the 'authconfig-tui' command and manually setup Krb
>> >> >> authentication and LDAP authorisation, using DNS discovery for the
>> >> >> servers. The authentication is working correctly, but when I run 'id
>> >> >> $USERNAME' I don't receive the correct groups, so I believe that
>> >> >> Kerberos is working, but the LDAP configuration is wrong. I've turned
>> >> >> the sssd loglevel up to 100, but I can't figure out why I'm not
>> >> >> getting the correct groups
>> >> >>
>> >> >> My system has a variety of files and I'm not sure which are still in use:
>> >> >>
>> >> >> /etc/krb5.conf
>> >> >> /etc/pam_ldap.conf
>> >> >> /etc/sssd/sssd.conf
>> >> >>
>> >> >> On Fedora 14 and earlier, there used to be an '/etc/nss_ldap.conf' -
>> >> >> this is not present on F15.
>> >> >>
>> >> >> Can anyone help me figure out how to get the group lookups working?
>> >> >
>> >> >
>> >> > Probably you need to add ldap_schema=rfc2307bis into the
>> >> > [domain/default] section of /etc/sssd/sssd.conf.
>> >> >
>> >> > If you just set authconfig up as an LDAP server, it defaults to
>> >> > ldap_schema = rfc2307, which uses a different attribute on the server to
>> >> > contain group memberships.
>> >>
>> >> Thanks, but I've tried both of those entries - it doesn't appear to
>> >> make any difference.
>> >>
>> >> Dan
>> >
>> >
>> > Could you attach your
>> > (sanitized) /etc/sssd/sssd.conf, /etc/krb5.conf, /etc/nsswitch.conf
>> > and /etc/pam.d/system-auth?
>>
>> Attached, thanks. The only changes are domain names and 'dc=*' entries.
>>
>> One thing that I just noticed, the system-auth file has pam_krb5.so
>> entries, previously, these were pam_sss.so - I've tried using both,
>> but neither appears to work.
>>
>> Thanks,
>>
>> Dan
>
>
> Your /etc/nsswitch.conf is wrong. I just noticed that you were using
> authconfig-tui which is deprecated upstream and does not properly set up
> SSSD. Only 'authconfig' (command-line) or 'authconfig-gtk' (GUI) works
> properly. Feel free to file a bug against authconfig.
>
> /etc/nsswitch.conf needs to specify 'sss' instead of 'ldap' to use SSSD.
> Similarly system-auth needs to use pam_sss.so, not pam_krb5.so.
>
> If you run 'authconfig --enablesssd --enablesssdauth --update' you
> should be fine. This will update the config files with the correct
> SSSD-related settings.
Excellent! Thanks - that makes much more sense. I've been using
authconfig-tui all this time and had no idea that it was doing things
incorrectly.
One small issue that I found, if I switch on the "Use DNS to resolve
hosts to realms" option, then the krb5_realm (in sssd.conf) and
default_realm (in krb5.conf) are removed and my authentication fails.
I'm pretty sure that I have DNS correctly configured (_kerberos
IN TXT EXAMPLE.COM). Does the sssd client look for different
DNS records for realm discovery?
Thanks for your help,
Dan
More information about the Freeipa-users
mailing list