Will it be represented in documentation&wiki? :) 25.02.2014 18:33, Jakub Hrozek пишет: > On Tue, Feb 25, 2014 at 10:28:19AM +0100, Stanislav Zidek wrote: >>> Date: Fri, 17 Jan 2014 09:46:08 -0500 >>> From: Dmitri Pal <[email protected]> >>> To: [email protected] >>> Subject: Re: [Freeipa-users] SSSD Failover does not work >>> Message-ID: <[email protected]> >>> Content-Type: text/plain; charset=ISO-8859-1 >>> >>> You would need to up the debug_level to 6 on SSSD, restart it, then >>> simulate the situation and provide sanitized logs and sssd configuration >>> file. >> Hi and sorry for late reply, I've been ill and then lots of work waited >> for me ;) >> >> I tried to further debug the issue and I was able to make it work by >> adding the second ipa server also to directives ldap_uri and krb5_server >> (it was probably my mistake to put it only to ipa_server) - of course in >> /etc/sssd/sssd.conf >> >> Here is my working /etc/sssd/sssd.conf in case anyone finds it useful >> (or someone has a comment - feel free to tell me how to make things better): >> >> [domain/kajot.cz] >> >> cache_credentials = True >> krb5_store_password_if_offline = True >> ipa_domain = kajot.cz >> id_provider = ipa >> auth_provider = ipa >> access_provider = ipa >> ldap_tls_cacert = /etc/ipa/ca.crt >> ipa_hostname = <<<SERVER NAME>>> >> chpass_provider = ipa >> ipa_server = id1.kajot.cz, id2.kajot.cz >> >> # For the SUDO integration >> sudo_provider = ldap >> ldap_uri = ldap://id1.kajot.cz, ldap://id2.kajot.cz >> ldap_sudo_search_base = ou=sudoers,dc=kajot,dc=cz >> ldap_sasl_mech = GSSAPI >> ldap_sasl_authid = host/redmine.kajot.cz >> ldap_sasl_realm = KAJOT.CZ >> krb5_server = id1.kajot.cz, id2.kajot.cz >> >> >> ldap_sudo_smart_refresh_interval = 120 >> ldap_sudo_full_refresh_interval = 300 >> >> [sssd] >> services = nss, pam, ssh, sudo >> config_file_version = 2 >> >> domains = kajot.cz >> >> [nss] >> >> [pam] >> >> [sudo] >> >> [autofs] >> >> [ssh] >> >> [pac] >> >> >> P.S. I hope it gets posted to the right place, Thunderbird and digest >> mode is probably not very good combination.. If it goes wrong, sorry in >> advance. >> >> S. >> > Ah, I didn't realize you were mixing several provider types. It's the > right thing to do for sudo intergration with RHEL-6, unfortunately. > > In 6.6 there will be (and there already is in 7.0 and upstream 1.9.6 and > later) a native sudo_provider=ipa so you'll be able to streamline your > configuration even more. > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users
_______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
