On 08/16/2011 10:29 AM, Jakub Hrozek wrote:
> On Tue, Aug 16, 2011 at 03:56:48PM +0200, Ondrej Valousek wrote:
>> Hi list,
>> Ok here is the list of issues I discovered while configuring sssd against 
>> Win2008 AD & rfc2307bis schema:
>> 1. If I specify both dns_discovery_domain and ldap_uri parameters
>> then what happens is that dns srv discovery returns a list of ldap
>> servers. Now if the first one found is not working, others are not
>> tried. I have to comment out the 'ldap_uri' parameter to make it
>> working correctly.
> Can you paste how exactly the ldap_uri line looks? I presume you would
> like to try the service discovery first and if that fails, fall back to
> a hardcoded hostname. In that case, ldap_uri should say:
> ldap_uri = _srv_, adserver.example.com
> That should work. 
>> 2. SSSD is unable to detect default Kerberos realm as per /etc/krb5.conf - I 
>> have to configure it manually
>> 3. Why do we actually need to specify Kerberos realm and KDC? Isn't 
>> /etc/krb5.conf supposed to record these kind of parameters?
> I think this has both historical (we used to say you don't need
> /etc/krb5.conf at all with SSSD) and practical reasons - there can be more
> SSSD domains with different realms and KDCs at the same time.
>> 4. authconfig is unable to configure sssd to use IPA backend provider
> This was supposedly done to avoid people using authconfig-gtk to
> configure clients against IPAv1, but I don't remember the exact reason.

Historically when the authconfig design was done there was no released
IPA product of the v2 level in Fedora or RHEL.
I thought 6.1 authconfig was enhance to configure sssd but AFAIR
Kerberos and LDAP not IPA. If this is the case we need to file an ER.

> Maybe someone else does?
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users@redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.

Looking to carve out IT costs?

Freeipa-users mailing list

Reply via email to