On 08/16/2011 12:34 PM, Dmitri Pal wrote: > On 08/16/2011 10:29 AM, Jakub Hrozek wrote: >> On Tue, Aug 16, 2011 at 03:56:48PM +0200, Ondrej Valousek wrote: >>> Hi list, >>> Ok here is the list of issues I discovered while configuring sssd against >>> Win2008 AD & rfc2307bis schema: >>> 1. If I specify both dns_discovery_domain and ldap_uri parameters >>> then what happens is that dns srv discovery returns a list of ldap >>> servers. Now if the first one found is not working, others are not >>> tried. I have to comment out the 'ldap_uri' parameter to make it >>> working correctly. >> Can you paste how exactly the ldap_uri line looks? I presume you would >> like to try the service discovery first and if that fails, fall back to >> a hardcoded hostname. In that case, ldap_uri should say: >> >> ldap_uri = _srv_, adserver.example.com >> >> That should work. >> >>> 2. SSSD is unable to detect default Kerberos realm as per /etc/krb5.conf - >>> I have to configure it manually >>> >>> 3. Why do we actually need to specify Kerberos realm and KDC? Isn't >>> /etc/krb5.conf supposed to record these kind of parameters? >> I think this has both historical (we used to say you don't need >> /etc/krb5.conf at all with SSSD) and practical reasons - there can be more >> SSSD domains with different realms and KDCs at the same time. >> >>> 4. authconfig is unable to configure sssd to use IPA backend provider >>> >> This was supposedly done to avoid people using authconfig-gtk to >> configure clients against IPAv1, but I don't remember the exact reason. > Historically when the authconfig design was done there was no released > IPA product of the v2 level in Fedora or RHEL. > I thought 6.1 authconfig was enhance to configure sssd but AFAIR > Kerberos and LDAP not IPA. If this is the case we need to file an ER.
Checked... I do not see any ERs for authconfig to support IPA back end. I have opened one: https://bugzilla.redhat.com/show_bug.cgi?id=731094 and also added a tracking ticket on our side: https://fedorahosted.org/sssd/ticket/969 >> Maybe someone else does? >> >> _______________________________________________ >> Freeipa-users mailing list >> [email protected] >> https://www.redhat.com/mailman/listinfo/freeipa-users > -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
