[Freeipa-users] krb5_server in sssd.conf after ipa-server-install
Alexander Bokovoy
abokovoy at redhat.com
Mon Mar 14 12:21:36 UTC 2016
On Mon, 14 Mar 2016, Jan Pazdziora wrote:
>On Sun, Mar 13, 2016 at 03:34:27PM +0200, Alexander Bokovoy wrote:
>> On Sun, 13 Mar 2016, lejeczek wrote:
>> >IPA install process configured in sssd.conf:
>> >[domain/new.Domain]
>> >cache_credentials = True
>> >krb5_store_password_if_offline = True
>> >ipa_domain = newDomain
>> >id_provider = ipa
>> >...
>> >...
>> >[domain/default] # < this is ldap that existed before, kbr5 related
>> >options are new additions
>> >autofs_provider = ldap
>> >cache_credentials = True
>> >krb5_realm = new.Domain
>> >ldap_search_base = dc=old,dc=domain
>> >id_provider = ldap
>> >krb5_server = a.host
>> >
>> >[sssd]
>> >services = nss, sudo, pam, autofs, ssh
>> >config_file_version = 2
>> >domains =new.Domain
>> >
>> >so here I wonder, what's the meaning of kbr5 related options and why
>> >install process put it into default domain which it did not include later
>> >in sssd section.
>> FreeIPA installer doesn't touch 'default' domain section at all. It
>> always operates on the section named 'domain/<domain name>'.
>
>Actually, that does not seem what I experience.
>
>On RHEL 6.7 and RHEL 7.2, I've tried to start with sssd.conf
>containing
>
> [domain/default]
> autofs_provider = ldap
> cache_credentials = True
> ldap_search_base = dc=old,dc=domain
> id_provider = ldap
>
>I tried ipa-server-install and I tried ipa-client-install. In both
>cases, the resulting sssd.conf had the [domain/default] section
>removed. So something in the process seems to care about that section
>-- maybe not the installer, maybe authconfig or something else.
If sssd.conf exists, IPA installer (ipa-client-install) will back the
file up. If there is a clash in config, it will start a fresh because
you anyway have a backup copy.
>On the other hand, I was not able to reproduce the chaneg to the
>content of the domain/default section that lejeczek reports. I guess
>we will need more detailed steps to reproduce, including the exact
>original sssd.conf and versions of relevant packages.
I suspect somebody ran authconfig separately to configure some options
and it ruined sssd.conf.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list