[Freeipa-users] krb5_server in sssd.conf after ipa-server-install

lejeczek peljasz at yahoo.co.uk
Mon Mar 14 13:44:43 UTC 2016 

On 14/03/16 12:21, Alexander Bokovoy wrote:
> On Mon, 14 Mar 2016, Jan Pazdziora wrote:
>> On Sun, Mar 13, 2016 at 03:34:27PM +0200, Alexander 
>> Bokovoy wrote:
>>> On Sun, 13 Mar 2016, lejeczek wrote:
>>> >IPA install process configured in sssd.conf:
>>> >[domain/new.Domain]
>>> >cache_credentials = True
>>> >krb5_store_password_if_offline = True
>>> >ipa_domain = newDomain
>>> >id_provider = ipa
>>> >...
>>> >...
>>> >[domain/default]  # < this is ldap that existed before, 
>>> kbr5 related
>>> >options are new additions
>>> >autofs_provider = ldap
>>> >cache_credentials = True
>>> >krb5_realm = new.Domain
>>> >ldap_search_base = dc=old,dc=domain
>>> >id_provider = ldap
>>> >krb5_server = a.host
>>> >
>>> >[sssd]
>>> >services = nss, sudo, pam, autofs, ssh
>>> >config_file_version = 2
>>> >domains =new.Domain
>>> >
>>> >so here I wonder, what's the meaning of kbr5 related 
>>> options and why
>>> >install process put it into default domain which it did 
>>> not include later
>>> >in sssd section.
>>> FreeIPA installer doesn't touch 'default' domain section 
>>> at all. It
>>> always operates on the section named 'domain/<domain 
>>> name>'.
>>
>> Actually, that does not seem what I experience.
>>
>> On RHEL 6.7 and RHEL 7.2, I've tried to start with sssd.conf
>> containing
>>
>>     [domain/default]
>>     autofs_provider = ldap
>>     cache_credentials = True
>>     ldap_search_base = dc=old,dc=domain
>>     id_provider = ldap
>>
>> I tried ipa-server-install and I tried 
>> ipa-client-install. In both
>> cases, the resulting sssd.conf had the [domain/default] 
>> section
>> removed. So something in the process seems to care about 
>> that section
>> -- maybe not the installer, maybe authconfig or something 
>> else.
> If sssd.conf exists, IPA installer (ipa-client-install) 
> will back the
> file up. If there is a clash in config, it will start a 
> fresh because
> you anyway have a backup copy.
>
>> On the other hand, I was not able to reproduce the chaneg 
>> to the
>> content of the domain/default section that lejeczek 
>> reports. I guess
>> we will need more detailed steps to reproduce, including 
>> the exact
>> original sssd.conf and versions of relevant packages.
> I suspect somebody ran authconfig separately to configure 
> some options
> and it ruined sssd.conf.
yes, I've asked around and it's quite probably someone 
before tried/used non-IPA kerberos before.
One thing to me looks like a certain - if krb5_realm & & 
krb5_server (or at least krb5_realm) installer (in my case 
left it there in /default)
I guess a quick test would be to put krb5_realm is sssd.conf 
default and try, I'll do that once I've set up some VMs.
Also my ldap_search_base = dc=old,dc=domain was different 
from FQDN/realm which during, for the installation was 
new.quite.different.domain.local - in case it mattered.
Most important is that both params are now in the newly (IPA 
created) section, thought just yet I did notice anything, it 
seemed ok before and it does so now.
many thanks getns

More information about the Freeipa-users mailing list