[Freeipa-users] krb5_server in sssd.conf after ipa-server-install
Jan Pazdziora
jpazdziora at redhat.com
Mon Mar 14 12:18:29 UTC 2016
On Sun, Mar 13, 2016 at 03:34:27PM +0200, Alexander Bokovoy wrote:
> On Sun, 13 Mar 2016, lejeczek wrote:
> >IPA install process configured in sssd.conf:
> >[domain/new.Domain]
> >cache_credentials = True
> >krb5_store_password_if_offline = True
> >ipa_domain = newDomain
> >id_provider = ipa
> >...
> >...
> >[domain/default] # < this is ldap that existed before, kbr5 related
> >options are new additions
> >autofs_provider = ldap
> >cache_credentials = True
> >krb5_realm = new.Domain
> >ldap_search_base = dc=old,dc=domain
> >id_provider = ldap
> >krb5_server = a.host
> >
> >[sssd]
> >services = nss, sudo, pam, autofs, ssh
> >config_file_version = 2
> >domains =new.Domain
> >
> >so here I wonder, what's the meaning of kbr5 related options and why
> >install process put it into default domain which it did not include later
> >in sssd section.
> FreeIPA installer doesn't touch 'default' domain section at all. It
> always operates on the section named 'domain/<domain name>'.
Actually, that does not seem what I experience.
On RHEL 6.7 and RHEL 7.2, I've tried to start with sssd.conf
containing
[domain/default]
autofs_provider = ldap
cache_credentials = True
ldap_search_base = dc=old,dc=domain
id_provider = ldap
I tried ipa-server-install and I tried ipa-client-install. In both
cases, the resulting sssd.conf had the [domain/default] section
removed. So something in the process seems to care about that section
-- maybe not the installer, maybe authconfig or something else.
On the other hand, I was not able to reproduce the chaneg to the
content of the domain/default section that lejeczek reports. I guess
we will need more detailed steps to reproduce, including the exact
original sssd.conf and versions of relevant packages.
--
Jan Pazdziora
Senior Principal Software Engineer, Identity Management Engineering, Red Hat
More information about the Freeipa-users
mailing list