I suspected that problems could arise with DNS, and here they are...
In fact, this entire string: "ipa_server = _srv_ #our FreeIPA server has
DNS SRV entries" was taken as-is from the how-to on FreeBSD forums.
First I commented it out, because was unsure sure if it was appropriate
for my simple setup with just 2 VMs and and a bunch of records in
/etc/hosts file. After starting sssd, I could get no IPA data
with"getent passwd" or "getent group" commands. They I uncommented it
and restarted sssd, but things remained the same.
Now your advice is: "...add IP address or hostname to the option
ipa_server", but you use an arbitrary name like "vm-120.eurosel.az".
Could you please explain which host`s FQDN I should put there? If I use
"ipa1.eurosel.az", then sssd won`t start (complains about "...Looping
detected inside krb5_get_in_tkt...").
If it MUST be a DNS server, then everything changes. And the question
then becomes: is it possible to set up a test FreeIPA client-server
interaction using only 2 VMs and proper records in /etc/hosts instead of
a DNS server? Or one MUST add a third VM and make it a DNS server to
facilitate client-server interaction?
14-Oct-14 12:58, Lukas Slebodnik пишет:
On (14/10/14 10:23), Orkhan Gasimov wrote:
Thanks to both of you for the interest.
Here`s the info you asked:
1. Putting "debug_level = 7" either in [domain] or/and [nss] section of the
/usr/local/etc/sssd/sssd.conf file gives nothing in the log. The log file
located at /var/log/sssd/sssd.log is only populated with data when I make
some errors in sssd.conf & sssd process fails to start. But that`s the case
only if I deliberately introduce some errors; with current configuration sssd
2. My original sssd.conf (without debugs) is as follows (exact copy of what
was shown in the post at FreeBSD forums):
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = mydomain.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipa1.mydomain.com
chpass_provider = ipa
ipa_server = _srv_ #our FreeIPA server has DNS SRV entries
[resolv_getsrv_send] (0x0100): Trying to resolve SRV record of
[resolve_srv_done] (0x0020): SRV query failed: [Domain name not found]
[set_srv_data_status] (0x0100): Marking SRV lookup of service 'IPA' as 'not
[be_resolve_server_process] (0x0080): Couldn't resolve server (SRV lookup
meta-server), resolver returned (5)
DNS discovery of IPA server failed, becuase you just configured few hostnames
You can add IP address or hostname to the option ipa_server
ipa_server = _srv_, vm-120.eurosel.az
BTW In my opinion, it is better to have comment before the optiona and not on
the same line :-)
Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project