------- [domain/foo.com] cach_credentials = True krb5_store_password_if_offline = True ipa_domain = foo.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = zw129.foo.com chpass_provider = ipa ipa_dyndns_update = True ipa_server = 192.168.208.46, _srv_, 192.168.10.111, 192.168.8.49 ldap_tls_cacert = /etc/ipa/ca.crt [domain/.foo.com]
cache_credentials = True krb5_store_password_if_offline = True krb5_realm = FOO.COM ipa_domain = .foo.com id_provider = ipa auth_provider = ipa access_provider = ipa ldap_tls_cacert = /etc/ipa/ca.crt chpass_provider = ipa ipa_dyndns_update = True ipa_server = 192.168.208.46, _srv_, 192.168.10.111, 192.168.8.49 ldap_netgroup_search_base = cn=ng,cn=compat,dc=foo,dc=com dns_discovery_domain = .foo.com [sssd] services = nss, pam, ssh config_file_version = 2 domains = .foo.com, foo.com [nss] [pam] [sudo] [autofs] [ssh] ----------- Bret On 01/16/2014 12:47 PM, Jan Cholasta wrote:
I'm glad that fixed it, but I would still be interested in what went wrong. Could you tell me what was the difference between foo.com and .foo.com domain configuration? I'm also curious how did such configuration got into sssd.conf in the first place, ipa-client-install should have created only one domain.On 16.1.2014 18:19, Bret Wortman wrote:It did. I just needed the motivation to figure out which version was correct. So I experimented on my own workstation this morning before anyone else got in and rolled out a corrected version. Thanks for your help, everyone! On 01/16/2014 11:52 AM, Jan Cholasta wrote:I think you can just comment out the whole [domain/] section in sssd.conf and restart sssd. Does that solve the problem? If not, could you please post your sssd.conf here? On 16.1.2014 11:21, Bret Wortman wrote:Yes, though there should be only one. We ended up somehow with foo.com and .foo.com and I'm not sure how to reduce us properly to just foo.com. Bret Wortman http://bretwortman.com/ http://twitter.com/BretWortmanOn Jan 16, 2014, at 4:42 AM, Jan Cholasta <jchol...@redhat.com> wrote:OK, there is definitely something going on in the client then. Are there multiple domains configured in sssd.conf?On 15.1.2014 13:56, Bret Wortman wrote: The fingerprint does match.On 01/15/2014 03:33 AM, Jan Cholasta wrote:On 14.1.2014 12:34, Bret Wortman wrote: The key in /etc/ssh/ssh_host_rsa_key.pub matches what's in IPA for the host in question. It should not have had any connectivity issues; it's co-located with several of our IPA masters.Can you also check if the MD5 fingerprint reported by ssh (e.g. 2a:1e:1c:87:33:44:fb:87:ab:6f:ee:80:d5:21:7e:ab in your original post) matches the MD5 fingerprint for the host in IPA?-- Jan Cholasta
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
