[Freeipa-users] krb5_server in sssd.conf after ipa-server-install
Alexander Bokovoy
abokovoy at redhat.com
Sun Mar 13 20:01:21 UTC 2016
On Sun, 13 Mar 2016, lejeczek wrote:
>
>
>On 13/03/16 13:34, Alexander Bokovoy wrote:
>>On Sun, 13 Mar 2016, lejeczek wrote:
>>>IPA install process configured in sssd.conf:
>>>[domain/new.Domain]
>>>cache_credentials = True
>>>krb5_store_password_if_offline = True
>>>ipa_domain = newDomain
>>>id_provider = ipa
>>>...
>>>...
>>>[domain/default] # < this is ldap that existed before, kbr5
>>>related options are new additions
>>>autofs_provider = ldap
>>>cache_credentials = True
>>>krb5_realm = new.Domain
>>>ldap_search_base = dc=old,dc=domain
>>>id_provider = ldap
>>>krb5_server = a.host
>>>
>>>[sssd]
>>>services = nss, sudo, pam, autofs, ssh
>>>config_file_version = 2
>>>domains =new.Domain
>>>
>>>so here I wonder, what's the meaning of kbr5 related options and
>>>why install process put it into default domain which it did not
>>>include later in sssd section.
>>FreeIPA installer doesn't touch 'default' domain section at all. It
>>always operates on the section named 'domain/<domain name>'.
>>
>>It also adds 'krb5_realm' line only in case your <domain name> and
>>realm
>>are different. For example, if you have DNS domain example.com and
>>Kerberos realm EXAMPLE.NET, then [domain/example.com] will get
>>
>yes, FQDN/DNS was different, but both krb5_realm & krb5_server was put
>into domain/default, I'm certain of that cause I'm just looking at the
>backup copy of the config.
>should these be in the domain/new.Domain which installer
>created/added?
Yes. Before answering I did check the code and it only modified the new
section with krb5_realm, not anything else.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list