[Freeipa-users] sssd options ignored?

Wed Mar 18 14:21:02 UTC 2015

On 3/18/15, 9:48 AM, "Alexander Bokovoy" <abokovoy at redhat.com> wrote:

>On Wed, 18 Mar 2015, Gould, Joshua wrote:
>>On 3/18/15, 4:28 AM, "Alexander Bokovoy" <abokovoy at redhat.com> wrote:
>>
>>>On Wed, 18 Mar 2015, Gould, Joshua wrote:
>>>>
>>>>
>>>>I¹ll be happy to remove the AD section from the sssd.conf file and test
>>>>but I think there¹s more going on. The AD section was generated from
>>>>the
>>>>IPA client install. I never manually added anything other than ³pac² to
>>>>the services line under the [sssd] section and the two ldap_idmap_range
>>>>options.
>>>Show your /var/log/ipaclient-install.log. ipa-client-install has no
>>>support to generate sections for AD at all.
>>
>>I think then it would have to be the “ipa trust-add” command which
>>generates those sections then? The command that I used was:
>No, it is not. We don't have *any* code that could have generated that
>section in FreeIPA.

Since we’re still in the test phase, I can fairly easily set things up
again. It will help me to improve my own documentation for how things are
setup in test and how I can set things up in production. When I do that, I
can look at the sssd.conf after each step and see where it gets modified
and let you know. Like I said, I never created the domain section, but I
did add the debugging statement, the range options and the option for pac.

>
>># ipa trust-add --type=ad TEST.OSUWMC ―-admin=farus ―password
>>--range-type=ipa-ad-trust
>>Active Directory domain administrator's password:
>>ipa: ERROR: AD DC was unable to reach any IPA domain controller. Most
>>likely it is a DNS or firewall issue
>>
>>
>>The trust was created even with that error message and seems to work.
>Do you get something like
>
>$ kdestroy -A
>$ kinit admin
>$ kvno -S cifs <hostname of AD DC>
>$ klist -ef
>
>working?

All of those work even with the error when initially creating the trust.
We basically treated the error as cosmetic since everything else seems to
work.

[goul09 at mid-ipa-vp01 ~]$ kdestroy
kdestroy: No credentials cache found while destroying cache
[goul09 at mid-ipa-vp01 ~]$ kinit admin
Password for admin at UNIX.TEST.OSUWMC:
[goul09 at mid-ipa-vp01 ~]$ kvno -S cifs svr-addc-vt01.test.osuwmc
cifs/svr-addc-vt01.test.osuwmc at TEST.OSUWMC: kvno = 16
[goul09 at mid-ipa-vp01 ~]$ klist -ef
Ticket cache: FILE:/tmp/krb5cc_998
Default principal: admin at UNIX.TEST.OSUWMC

Valid starting       Expires              Service principal
03/18/2015 10:15:28  03/19/2015 10:15:25
krbtgt/UNIX.TEST.OSUWMC at UNIX.TEST.OSUWMC
	Flags: FIA, Etype (skey, tkt): aes256-cts-hmac-sha1-96,
aes256-cts-hmac-sha1-96
03/18/2015 10:16:08  03/19/2015 10:15:25
krbtgt/TEST.OSUWMC at UNIX.TEST.OSUWMC
	Flags: FAT, Etype (skey, tkt): aes256-cts-hmac-sha1-96,
aes256-cts-hmac-sha1-96
03/18/2015 10:15:46  03/18/2015 20:15:46
cifs/svr-addc-vt01.test.osuwmc at TEST.OSUWMC
	Flags: FA, Etype (skey, tkt): aes256-cts-hmac-sha1-96,
aes256-cts-hmac-sha1-96
[goul09 at mid-ipa-vp01 ~]$