[Freeipa-users] krb5_server in sssd.conf after ipa-server-install
lejeczek
peljasz at yahoo.co.uk
Mon Mar 14 13:44:43 UTC 2016
On 14/03/16 12:21, Alexander Bokovoy wrote:
> On Mon, 14 Mar 2016, Jan Pazdziora wrote:
>> On Sun, Mar 13, 2016 at 03:34:27PM +0200, Alexander
>> Bokovoy wrote:
>>> On Sun, 13 Mar 2016, lejeczek wrote:
>>> >IPA install process configured in sssd.conf:
>>> >[domain/new.Domain]
>>> >cache_credentials = True
>>> >krb5_store_password_if_offline = True
>>> >ipa_domain = newDomain
>>> >id_provider = ipa
>>> >...
>>> >...
>>> >[domain/default] # < this is ldap that existed before,
>>> kbr5 related
>>> >options are new additions
>>> >autofs_provider = ldap
>>> >cache_credentials = True
>>> >krb5_realm = new.Domain
>>> >ldap_search_base = dc=old,dc=domain
>>> >id_provider = ldap
>>> >krb5_server = a.host
>>> >
>>> >[sssd]
>>> >services = nss, sudo, pam, autofs, ssh
>>> >config_file_version = 2
>>> >domains =new.Domain
>>> >
>>> >so here I wonder, what's the meaning of kbr5 related
>>> options and why
>>> >install process put it into default domain which it did
>>> not include later
>>> >in sssd section.
>>> FreeIPA installer doesn't touch 'default' domain section
>>> at all. It
>>> always operates on the section named 'domain/<domain
>>> name>'.
>>
>> Actually, that does not seem what I experience.
>>
>> On RHEL 6.7 and RHEL 7.2, I've tried to start with sssd.conf
>> containing
>>
>> [domain/default]
>> autofs_provider = ldap
>> cache_credentials = True
>> ldap_search_base = dc=old,dc=domain
>> id_provider = ldap
>>
>> I tried ipa-server-install and I tried
>> ipa-client-install. In both
>> cases, the resulting sssd.conf had the [domain/default]
>> section
>> removed. So something in the process seems to care about
>> that section
>> -- maybe not the installer, maybe authconfig or something
>> else.
> If sssd.conf exists, IPA installer (ipa-client-install)
> will back the
> file up. If there is a clash in config, it will start a
> fresh because
> you anyway have a backup copy.
>
>> On the other hand, I was not able to reproduce the chaneg
>> to the
>> content of the domain/default section that lejeczek
>> reports. I guess
>> we will need more detailed steps to reproduce, including
>> the exact
>> original sssd.conf and versions of relevant packages.
> I suspect somebody ran authconfig separately to configure
> some options
> and it ruined sssd.conf.
yes, I've asked around and it's quite probably someone
before tried/used non-IPA kerberos before.
One thing to me looks like a certain - if krb5_realm & &
krb5_server (or at least krb5_realm) installer (in my case
left it there in /default)
I guess a quick test would be to put krb5_realm is sssd.conf
default and try, I'll do that once I've set up some VMs.
Also my ldap_search_base = dc=old,dc=domain was different
from FQDN/realm which during, for the installation was
new.quite.different.domain.local - in case it mattered.
Most important is that both params are now in the newly (IPA
created) section, thought just yet I did notice anything, it
seemed ok before and it does so now.
many thanks getns
More information about the Freeipa-users
mailing list