[Freeipa-users] SSSD Failover does not work

Fri Mar 21 03:32:13 UTC 2014

Will it be represented in documentation&wiki? :)

25.02.2014 18:33, Jakub Hrozek пишет:
> On Tue, Feb 25, 2014 at 10:28:19AM +0100, Stanislav Zidek wrote:
>>> Date: Fri, 17 Jan 2014 09:46:08 -0500
>>> From: Dmitri Pal <dpal at redhat.com>
>>> To: freeipa-users at redhat.com
>>> Subject: Re: [Freeipa-users] SSSD Failover does not work
>>> Message-ID: <52D94230.6080108 at redhat.com>
>>> Content-Type: text/plain; charset=ISO-8859-1
>>>
>>> You would need to up the debug_level to 6 on SSSD, restart it, then
>>> simulate the situation and provide sanitized logs and sssd configuration
>>> file.
>> Hi and sorry for late reply, I've been ill and then lots of work waited
>> for me ;)
>>
>> I tried to further debug the issue and I was able to make it work by
>> adding the second ipa server also to directives ldap_uri and krb5_server
>> (it was probably my mistake to put it only to ipa_server) - of course in
>> /etc/sssd/sssd.conf
>>
>> Here is my working /etc/sssd/sssd.conf in case anyone finds it useful
>> (or someone has a comment - feel free to tell me how to make things better):
>>
>> [domain/kajot.cz]
>>
>> cache_credentials = True
>> krb5_store_password_if_offline = True
>> ipa_domain = kajot.cz
>> id_provider = ipa
>> auth_provider = ipa
>> access_provider = ipa
>> ldap_tls_cacert = /etc/ipa/ca.crt
>> ipa_hostname = <<<SERVER NAME>>>
>> chpass_provider = ipa
>> ipa_server = id1.kajot.cz, id2.kajot.cz
>>
>> # For the SUDO integration
>> sudo_provider = ldap
>> ldap_uri = ldap://id1.kajot.cz, ldap://id2.kajot.cz
>> ldap_sudo_search_base = ou=sudoers,dc=kajot,dc=cz
>> ldap_sasl_mech = GSSAPI
>> ldap_sasl_authid = host/redmine.kajot.cz
>> ldap_sasl_realm = KAJOT.CZ
>> krb5_server = id1.kajot.cz, id2.kajot.cz
>>
>>
>> ldap_sudo_smart_refresh_interval = 120
>> ldap_sudo_full_refresh_interval = 300
>>
>> [sssd]
>> services = nss, pam, ssh, sudo
>> config_file_version = 2
>>
>> domains = kajot.cz
>>
>> [nss]
>>
>> [pam]
>>
>> [sudo]
>>
>> [autofs]
>>
>> [ssh]
>>
>> [pac]
>>
>>
>> P.S. I hope it gets posted to the right place, Thunderbird and digest
>> mode is probably not very good combination.. If it goes wrong, sorry in
>> advance.
>>
>> S.
>>
> Ah, I didn't realize you were mixing several provider types. It's the
> right thing to do for sudo intergration with RHEL-6, unfortunately.
>
> In 6.6 there will be (and there already is in 7.0 and upstream 1.9.6 and
> later) a native sudo_provider=ipa so you'll be able to streamline your
> configuration even more.
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users