On Tue, 14 Oct 2014, Orkhan Gasimov wrote:
Thanks to both of you for the interest.
Here`s the info you asked:

1. Putting "debug_level = 7" either in [domain] or/and [nss] section of the /usr/local/etc/sssd/sssd.conf file gives nothing in the log. The log file located at /var/log/sssd/sssd.log is only populated with data when I make some errors in sssd.conf & sssd process fails to start. But that`s the case only if I deliberately introduce some errors; with current configuration sssd starts successfully.
SSSD writes separate log files per each section, so you need to look at
/var/log/sssd/sssd_mydomain.com.log for [domain/mydomain.com] and
/var/log/sssd/sssd_nss.log for nss section.

3. The users created at the IPA server can`t locally log in to the server, but it`s possible to ssh to the server as an IPA user from the FreeBSD host. However, there are some interesting behaviors (again, this is what happens when just following the IPA Quick Start Quide for the server side & the post from FreeBSD forums for the client side):
- home directories are not automatically created on the IPA server;
- "id" command output shows correct uid, but the group of any IPA user doesn`t show as "ipausers" - instead, the group name is the same as username, + something like "context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023".
In FreeIPA in Fedora we switched off ipausers being a POSIX group.
FreeIPA supports POSIX and non-POSIX groups; the latter is for grouping
purposes as groups can be nested in FreeIPA. 'ipausers' is the group
every user is a member of but it is not a POSIX group anymore so it has
less effect on performance in large deployments (tens of thousands
users in the same group).

So it is expected. The group named as a username is a user-private group
which is maintained automatically per each user. It has the same GID as
user's UID.


--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to