[Freeipa-users] ipa-client-install generates bad sssd.conf
Jakub Hrozek
jhrozek at redhat.com
Fri Mar 3 08:32:57 UTC 2017
On Fri, Mar 03, 2017 at 08:45:10AM +0100, Harald Dunkel wrote:
> Hi folks,
>
> running freeipa client 4.3.2-5 and sssd 1.15.0-3 on
> Debian Stretch
~~~~~~~~~~~~~~
This is important I guess.
Since SSSD 1.15, SSSD allows to socket-activate the services, so it is
no longer required to have them explicitly listed in the services line
of the sssd section. But:
- there were some nasty bugs in the first version of the socket
activation. We will be releasing 1.15.1 today to address those
issues
- the sockets must be enabled (systemctl status sssd-nss.socket). I
understand Debian is doing this but I'm neither Debian user nor
developer. I would suggest to ask on some Debian-specific forum or
file a bug report if the resulting configurationd doesn't work.
> ipa-client-install creates a bad sssd.conf file, e.g.
>
> [domain/example.com]
>
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = example.com
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ldap_tls_cacert = /etc/ipa/ca.crt
> ipa_hostname = stretch1.vs.example.com
> chpass_provider = ipa
> ipa_server = _srv_, ipa1.example.com
> dns_discovery_domain = example.com
> [sssd]
> domains = example.com
> services = sudo
btw I find it strange that sudo is listed. I would expect either all or
no services to be listed. The feature is backwards-compatible, so if you
list the services explicitly, the sssd process would still start them
explicitly, just as it did with previous versions.
> [sudo]
>
>
> Esp. the services for nss, pam and ssh are not setup. Is this
> as expected?
>
>
> Every helpful comment is highly appreciated.
> Harri
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list