[Freeipa-users] sssd.conf - the server and host-client relationship
Lukas Slebodnik
lslebodn at redhat.com
Tue Sep 20 07:11:44 UTC 2016
On (20/09/16 15:06), Lachlan Musicman wrote:
>Hola,
>
>What is the relationship between the IPA server, host-clients and the
>sssd.conf?
>
>>From what I can tell, sssd.conf is edited/changed by the ipa-client-install
>process on the host-client.
>
>What level of similarity does there need to be between the two sssd.confs?
>
>My server's sssd.conf has a significant number of extra parameters set that
>are not getting put onto the clients.
>
>Debug levels are the most obvious, and understandable, omissions - but some
>others are frustrating.
>
>The (non debug_level) parameters missing are:
>----------------------
>[domain/unixdev.etc]
>ignore_group_members = True
It was probably set as a result of performance tuning.
>ldap_purge_cache_timeout = 0
That's default since 1.13.0
>subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout
that's specific option for sssd on IPA server
>selinux_provider = none
It was probably set as a workaround of bug which have been already
fixed.
>ipa_server_mode = True
that's specific option for sssd on IPA server
>sudo_provider = ldap
>ldap_uri = ldap://vmdv-linuxidm1.unixdev.petermac.org.au
>ldap_sudo_search_base = or=sudoers,dc=unixdev,dc=petermac,dc=org,dc=au
>ldap_sasl_mech = GSSAPI
>ldap_sasl_authid = host/vmdv-linuxidm1.unixdev.petermac.org.au
>ldap_sasl_realm = UNIXDEV.PETERMAC.ORG.AU
>krb5_server = vmdv-linuxidm1.unixdev.petermac.org.au
Previous 7 options are not required since sssd-1.10
>
>[sssd]
>config_file_version = 2
>domains = unixdev.etc
>
>[nss]
>memcache_timeout = 600
This option is se by ipa-*-install on ipa server mode.
>----------------------
>
>The other diff is that the
>
>host has: ipa_server = vmdv-linuxidm1.unixdev.petermac.org.au
>client has: ipa_server = _srv_, vmdv-linuxidm1.unixdev.petermac.org.au
>
>Which I presume is expected/desired.
>
>And the reason I ask is because we have selinux disabled, and without the
Do you eman disabled or permissive?
BTW freeIPA works well with SELinux in enforcing mode
>"selinux_provider = none" line, we would get kicked out as soon as freeipa
>had logged us in with message:
>
disabled SELinux should not affected authentication; but I didn't test that.
>Connection to test_client.unixdev.petermac.org.au closed by remote host.
>
>and on that host-client there was a brand new selinux_child.log that I'd
>never seen before.
>
LS
More information about the Freeipa-users
mailing list