On Tue, Feb 25, 2014 at 10:28:19AM +0100, Stanislav Zidek wrote: > > Date: Fri, 17 Jan 2014 09:46:08 -0500 > > From: Dmitri Pal <[email protected]> > > To: [email protected] > > Subject: Re: [Freeipa-users] SSSD Failover does not work > > Message-ID: <[email protected]> > > Content-Type: text/plain; charset=ISO-8859-1 > > > > You would need to up the debug_level to 6 on SSSD, restart it, then > > simulate the situation and provide sanitized logs and sssd configuration > > file. > > Hi and sorry for late reply, I've been ill and then lots of work waited > for me ;) > > I tried to further debug the issue and I was able to make it work by > adding the second ipa server also to directives ldap_uri and krb5_server > (it was probably my mistake to put it only to ipa_server) - of course in > /etc/sssd/sssd.conf > > Here is my working /etc/sssd/sssd.conf in case anyone finds it useful > (or someone has a comment - feel free to tell me how to make things better): > > [domain/kajot.cz] > > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = kajot.cz > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ldap_tls_cacert = /etc/ipa/ca.crt > ipa_hostname = <<<SERVER NAME>>> > chpass_provider = ipa > ipa_server = id1.kajot.cz, id2.kajot.cz > > # For the SUDO integration > sudo_provider = ldap > ldap_uri = ldap://id1.kajot.cz, ldap://id2.kajot.cz > ldap_sudo_search_base = ou=sudoers,dc=kajot,dc=cz > ldap_sasl_mech = GSSAPI > ldap_sasl_authid = host/redmine.kajot.cz > ldap_sasl_realm = KAJOT.CZ > krb5_server = id1.kajot.cz, id2.kajot.cz > > > ldap_sudo_smart_refresh_interval = 120 > ldap_sudo_full_refresh_interval = 300 > > [sssd] > services = nss, pam, ssh, sudo > config_file_version = 2 > > domains = kajot.cz > > [nss] > > [pam] > > [sudo] > > [autofs] > > [ssh] > > [pac] > > > P.S. I hope it gets posted to the right place, Thunderbird and digest > mode is probably not very good combination.. If it goes wrong, sorry in > advance. > > S. >
Ah, I didn't realize you were mixing several provider types. It's the right thing to do for sudo intergration with RHEL-6, unfortunately. In 6.6 there will be (and there already is in 7.0 and upstream 1.9.6 and later) a native sudo_provider=ipa so you'll be able to streamline your configuration even more. _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
