[Freeipa-users] No result when trying to integrate a FreeBSD client with the FreeIPA server

Orkhan Gasimov orkhan-azeri at mail.ru
Tue Oct 14 09:49:00 UTC 2014

I suspected that problems could arise with DNS, and here they are...

In fact, this entire string: "ipa_server = _srv_ #our FreeIPA server has 
DNS SRV entries" was taken as-is from the how-to on FreeBSD forums. 
First I commented it out, because was unsure sure if it was appropriate 
for my simple setup with just 2 VMs and and a bunch of records in 
/etc/hosts file. After starting sssd, I could get no IPA data 
with"getent passwd" or "getent group" commands. They I uncommented it 
and restarted sssd, but things remained the same.

Now your advice is:  "...add IP address or hostname to the option 
ipa_server", but you use an arbitrary name like "vm-120.eurosel.az". 
Could you please explain which host`s FQDN I should put there? If I use 
"ipa1.eurosel.az", then sssd won`t start (complains about "...Looping 
detected inside krb5_get_in_tkt...").

If it MUST be a DNS server, then everything changes. And the question 
then becomes: is it possible to set up a test FreeIPA client-server 
interaction using only 2 VMs and proper records in /etc/hosts instead of 
a DNS server? Or one MUST add a third VM and make it a DNS server to 
facilitate client-server interaction?

14-Oct-14 12:58, Lukas Slebodnik пишет:
> On (14/10/14 10:23), Orkhan Gasimov wrote:
>> Thanks to both of you for the interest.
>> Here`s the info you asked:
>> 1. Putting "debug_level = 7" either in [domain] or/and [nss] section of the
>> /usr/local/etc/sssd/sssd.conf file gives nothing in the log. The log file
>> located at /var/log/sssd/sssd.log is only populated with data when I make
>> some errors in sssd.conf & sssd process fails to start. But that`s the case
>> only if I deliberately introduce some errors; with current configuration sssd
>> starts successfully.
>> 2. My original sssd.conf (without debugs) is as follows (exact copy of what
>> was shown in the post at FreeBSD forums):
>> -----------------------------------------
>> [domain/mydomain.com]
>> cache_credentials = True
>> krb5_store_password_if_offline = True
>> ipa_domain = mydomain.com
>> id_provider = ipa
>> auth_provider = ipa
>> access_provider = ipa
>> ipa_hostname = ipa1.mydomain.com
>> chpass_provider = ipa
>> ipa_server = _srv_ #our FreeIPA server has DNS SRV entries
> [resolv_getsrv_send] (0x0100): Trying to resolve SRV record of '_ldap._tcp.eurosel.az'
> ...
> [resolve_srv_done] (0x0020): SRV query failed: [Domain name not found]
> [set_srv_data_status] (0x0100): Marking SRV lookup of service 'IPA' as 'not resolved'
> [be_resolve_server_process] (0x0080): Couldn't resolve server (SRV lookup meta-server), resolver returned (5)
> DNS discovery of IPA server failed, becuase you just configured few hostnames
> in /etc/hosts
> You can add IP address or hostname to the option ipa_server
> e.g.
>      ipa_server = _srv_, vm-120.eurosel.az
> BTW In my opinion, it is better to have comment before the optiona and not on
> the same line :-)
> LS

More information about the Freeipa-users mailing list