On 08/16/2011 12:34 PM, Dmitri Pal wrote:
> On 08/16/2011 10:29 AM, Jakub Hrozek wrote:
>> On Tue, Aug 16, 2011 at 03:56:48PM +0200, Ondrej Valousek wrote:
>>> Hi list,
>>> Ok here is the list of issues I discovered while configuring sssd against
>>> Win2008 AD & rfc2307bis schema:
>>> 1. If I specify both dns_discovery_domain and ldap_uri parameters
>>> then what happens is that dns srv discovery returns a list of ldap
>>> servers. Now if the first one found is not working, others are not
>>> tried. I have to comment out the 'ldap_uri' parameter to make it
>>> working correctly.
>> Can you paste how exactly the ldap_uri line looks? I presume you would
>> like to try the service discovery first and if that fails, fall back to
>> a hardcoded hostname. In that case, ldap_uri should say:
>> ldap_uri = _srv_, adserver.example.com
>> That should work.
>>> 2. SSSD is unable to detect default Kerberos realm as per /etc/krb5.conf -
>>> I have to configure it manually
>>> 3. Why do we actually need to specify Kerberos realm and KDC? Isn't
>>> /etc/krb5.conf supposed to record these kind of parameters?
>> I think this has both historical (we used to say you don't need
>> /etc/krb5.conf at all with SSSD) and practical reasons - there can be more
>> SSSD domains with different realms and KDCs at the same time.
>>> 4. authconfig is unable to configure sssd to use IPA backend provider
>> This was supposedly done to avoid people using authconfig-gtk to
>> configure clients against IPAv1, but I don't remember the exact reason.
> Historically when the authconfig design was done there was no released
> IPA product of the v2 level in Fedora or RHEL.
> I thought 6.1 authconfig was enhance to configure sssd but AFAIR
> Kerberos and LDAP not IPA. If this is the case we need to file an ER.
I do not see any ERs for authconfig to support IPA back end.
I have opened one:
and also added a tracking ticket on our side:
>> Maybe someone else does?
>> Freeipa-users mailing list
Sr. Engineering Manager IPA project,
Red Hat Inc.
Looking to carve out IT costs?
Freeipa-users mailing list