Here was the original sssd.conf. IPA created one, and I think in our early confusion over IPA, we created the other accidentally, and as we were trying to get puppet to enforce our system configs (we have a lot of developers who love to tinker with things they don't understand, which at this point includes me, I guess) we ended up postponing figuring out whether we could do away with the "" one until today:

cach_credentials = True
krb5_store_password_if_offline = True
ipa_domain =
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname =
chpass_provider = ipa
ipa_dyndns_update = True
ipa_server =, _srv_,,
ldap_tls_cacert = /etc/ipa/ca.crt

cache_credentials = True
krb5_store_password_if_offline = True
krb5_realm = FOO.COM
ipa_domain =
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ldap_tls_cacert = /etc/ipa/ca.crt
chpass_provider = ipa
ipa_dyndns_update = True
ipa_server =, _srv_,,
ldap_netgroup_search_base = cn=ng,cn=compat,dc=foo,dc=com
dns_discovery_domain =
services = nss, pam, ssh
config_file_version = 2

domains =,







On 01/16/2014 12:47 PM, Jan Cholasta wrote:
I'm glad that fixed it, but I would still be interested in what went wrong. Could you tell me what was the difference between and domain configuration? I'm also curious how did such configuration got into sssd.conf in the first place, ipa-client-install should have created only one domain.

On 16.1.2014 18:19, Bret Wortman wrote:
It did. I just needed the motivation to figure out which version was
correct. So I experimented on my own workstation this morning before
anyone else got in and rolled out a corrected version.

Thanks for your help, everyone!

On 01/16/2014 11:52 AM, Jan Cholasta wrote:
I think you can just comment out the whole [domain/] section in
sssd.conf and restart sssd. Does that solve the problem? If not, could
you please post your sssd.conf here?

On 16.1.2014 11:21, Bret Wortman wrote:
Yes, though there should be only one. We ended up somehow with and and I'm not sure how to reduce us properly to

Bret Wortman

On Jan 16, 2014, at 4:42 AM, Jan Cholasta <> wrote:

OK, there is definitely something going on in the client then. Are
there multiple domains configured in sssd.conf?

On 15.1.2014 13:56, Bret Wortman wrote:
The fingerprint does match.

On 01/15/2014 03:33 AM, Jan Cholasta wrote:

On 14.1.2014 12:34, Bret Wortman wrote:
The key in /etc/ssh/ matches what's in IPA
for the
host in question. It should not have had any connectivity issues;
co-located with several of our IPA masters.

Can you also check if the MD5 fingerprint reported by ssh (e.g.
2a:1e:1c:87:33:44:fb:87:ab:6f:ee:80:d5:21:7e:ab in your original
matches the MD5 fingerprint for the host in IPA?

Jan Cholasta

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Freeipa-users mailing list

Reply via email to