[Freeipa-users] krb5_server in sssd.conf after ipa-server-install
lejeczek
peljasz at yahoo.co.uk
Sun Mar 13 17:26:36 UTC 2016
On 13/03/16 13:34, Alexander Bokovoy wrote:
> On Sun, 13 Mar 2016, lejeczek wrote:
>> IPA install process configured in sssd.conf:
>> [domain/new.Domain]
>> cache_credentials = True
>> krb5_store_password_if_offline = True
>> ipa_domain = newDomain
>> id_provider = ipa
>> ...
>> ...
>> [domain/default] # < this is ldap that existed before,
>> kbr5 related options are new additions
>> autofs_provider = ldap
>> cache_credentials = True
>> krb5_realm = new.Domain
>> ldap_search_base = dc=old,dc=domain
>> id_provider = ldap
>> krb5_server = a.host
>>
>> [sssd]
>> services = nss, sudo, pam, autofs, ssh
>> config_file_version = 2
>> domains =new.Domain
>>
>> so here I wonder, what's the meaning of kbr5 related
>> options and why install process put it into default
>> domain which it did not include later in sssd section.
> FreeIPA installer doesn't touch 'default' domain section
> at all. It
> always operates on the section named 'domain/<domain name>'.
>
> It also adds 'krb5_realm' line only in case your <domain
> name> and realm
> are different. For example, if you have DNS domain
> example.com and
> Kerberos realm EXAMPLE.NET, then [domain/example.com] will
> get
>
yes, FQDN/DNS was different, but both krb5_realm &
krb5_server was put into domain/default, I'm certain of that
cause I'm just looking at the backup copy of the config.
should these be in the domain/new.Domain which installer
created/added?
> krb5_realm = EXAMPLE.NET
>
> added to the section.
>
> Looks like you had something previously on this machine
> using SSSD and
> configuring it with [domain/default] section.
>
More information about the Freeipa-users
mailing list