On Tue, Dec 18, 2012 at 09:07:25AM -0600, KodaK wrote: > On Tue, Dec 18, 2012 at 3:51 AM, Jakub Hrozek <jhro...@redhat.com> wrote: > > On Tue, Dec 18, 2012 at 10:39:56AM +0100, Jakub Hrozek wrote: > >> On Mon, Dec 17, 2012 at 04:03:03PM -0500, Dmitri Pal wrote: > >> > On 12/17/2012 03:11 PM, KodaK wrote: > >> > > I'm attempting to install Satellite in my IPA domain. There is a > >> > > ridiculous requirement that the group "dba" must not already exist > >> > > prior to installing. Red Hat support wanted me to *remove* the DBA > >> > > group and then install. > >> > > > >> > > Anyway, I'm trying to play around with filter_groups in sssd, and I > >> > > can't seem to get it to "take." The man page isn't exactly clear, but > >> > > here's what I've tried: > >> > > > >> > > filter_groups = dba > >> > > filter_groups= dba@fqdn > >> > > > >> > > In the [domain], [sssd] and [nss] sections of the config file. > >> > > > >> > > What's the right syntax? Do I need it in every section? > >> > > > >> > Is it a local group or a central group? > >> > >> Where Dmitri's question is headed is that if dba is a local group (aka > >> stored in /etc/passwd), then the SSSD should be queried at all. > > ^^^ > > /etc/group obviously > > I figured. :) > > The group "dba" is stored in IPA. Here's a funny thing, though (short > rundown): > > Installed RHEL 6.3 on Satelite server, joined it to the domain. > > Try to install Satellite: get the "Could not install database." > > I try to filter out the group in IPA, try to install Satellite, get: > "The group 'dba' should exist." This makes me think that the filter > is doing every "dba" not just dba on the IPA server. > > I removed the Satellite server from IPA (ipa-client-install > --uninstall) and I get the same message (dba should exist.) > > Fun stuff. >
Unless you wiped out the machine completely, do you know if: $ getent group -s sss dba Returned the group or not? I wouldn't be surprised if the installer tools checked the files directly.. > Now I'm re-installing RHEL so I can start from scratch, and I'll > attempt to install Satellite without joining it to the domain. I'm > not fond of this option -- I don't want to have stand-alone machines > that I have to manage separately, that's why I installed IPA in the > first place. _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users