On Tue, Aug 16, 2011 at 03:56:48PM +0200, Ondrej Valousek wrote:
> Hi list,
> Ok here is the list of issues I discovered while configuring sssd against 
> Win2008 AD & rfc2307bis schema:
> 1. If I specify both dns_discovery_domain and ldap_uri parameters
> then what happens is that dns srv discovery returns a list of ldap
> servers. Now if the first one found is not working, others are not
> tried. I have to comment out the 'ldap_uri' parameter to make it
> working correctly.

Can you paste how exactly the ldap_uri line looks? I presume you would
like to try the service discovery first and if that fails, fall back to
a hardcoded hostname. In that case, ldap_uri should say:

ldap_uri = _srv_, adserver.example.com

That should work. 

> 2. SSSD is unable to detect default Kerberos realm as per /etc/krb5.conf - I 
> have to configure it manually
> 3. Why do we actually need to specify Kerberos realm and KDC? Isn't 
> /etc/krb5.conf supposed to record these kind of parameters?

I think this has both historical (we used to say you don't need
/etc/krb5.conf at all with SSSD) and practical reasons - there can be more
SSSD domains with different realms and KDCs at the same time.

> 4. authconfig is unable to configure sssd to use IPA backend provider

This was supposedly done to avoid people using authconfig-gtk to
configure clients against IPAv1, but I don't remember the exact reason.

Maybe someone else does?

Freeipa-users mailing list

Reply via email to