[Freeipa-users] sssd.conf - the server and host-client relationship

Lachlan Musicman datakid at gmail.com
Tue Sep 20 05:06:30 UTC 2016 

Hola,

What is the relationship between the IPA server, host-clients and the
sssd.conf?

>From what I can tell, sssd.conf is edited/changed by the ipa-client-install
process on the host-client.

What level of similarity does there need to be between the two sssd.confs?

My server's sssd.conf has a significant number of extra parameters set that
are not getting put onto the clients.

Debug levels are the most obvious, and understandable, omissions - but some
others are frustrating.

The (non debug_level) parameters missing are:
----------------------
[domain/unixdev.etc]
ignore_group_members = True
ldap_purge_cache_timeout = 0
subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout
selinux_provider = none
ipa_server_mode = True
sudo_provider = ldap
ldap_uri = ldap://vmdv-linuxidm1.unixdev.petermac.org.au
ldap_sudo_search_base = or=sudoers,dc=unixdev,dc=petermac,dc=org,dc=au
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/vmdv-linuxidm1.unixdev.petermac.org.au
ldap_sasl_realm = UNIXDEV.PETERMAC.ORG.AU
krb5_server = vmdv-linuxidm1.unixdev.petermac.org.au

[sssd]
config_file_version = 2
domains = unixdev.etc

[nss]
memcache_timeout = 600
----------------------

The other diff is that the

host has: ipa_server = vmdv-linuxidm1.unixdev.petermac.org.au
client has: ipa_server = _srv_, vmdv-linuxidm1.unixdev.petermac.org.au

Which I presume is expected/desired.

And the reason I ask is because we have selinux disabled, and without the
"selinux_provider = none" line, we would get kicked out as soon as freeipa
had logged us in with message:

Connection to test_client.unixdev.petermac.org.au closed by remote host.

and on that host-client there was a brand new selinux_child.log that I'd
never seen before.


cheers
L.


------
The most dangerous phrase in the language is, "We've always done it this
way."

- Grace Hopper
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160920/3f6830e0/attachment.htm>

More information about the Freeipa-users mailing list