I suspected that problems could arise with DNS, and here they are...

In fact, this entire string: "ipa_server = _srv_ #our FreeIPA server has DNS SRV entries" was taken as-is from the how-to on FreeBSD forums. First I commented it out, because was unsure sure if it was appropriate for my simple setup with just 2 VMs and and a bunch of records in /etc/hosts file. After starting sssd, I could get no IPA data with"getent passwd" or "getent group" commands. They I uncommented it and restarted sssd, but things remained the same.

Now your advice is: "...add IP address or hostname to the option ipa_server", but you use an arbitrary name like "vm-120.eurosel.az". Could you please explain which host`s FQDN I should put there? If I use "ipa1.eurosel.az", then sssd won`t start (complains about "...Looping detected inside krb5_get_in_tkt...").

If it MUST be a DNS server, then everything changes. And the question then becomes: is it possible to set up a test FreeIPA client-server interaction using only 2 VMs and proper records in /etc/hosts instead of a DNS server? Or one MUST add a third VM and make it a DNS server to facilitate client-server interaction?

14-Oct-14 12:58, Lukas Slebodnik пишет:
On (14/10/14 10:23), Orkhan Gasimov wrote:
Thanks to both of you for the interest.
Here`s the info you asked:

1. Putting "debug_level = 7" either in [domain] or/and [nss] section of the
/usr/local/etc/sssd/sssd.conf file gives nothing in the log. The log file
located at /var/log/sssd/sssd.log is only populated with data when I make
some errors in sssd.conf & sssd process fails to start. But that`s the case
only if I deliberately introduce some errors; with current configuration sssd
starts successfully.

2. My original sssd.conf (without debugs) is as follows (exact copy of what
was shown in the post at FreeBSD forums):

cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = mydomain.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipa1.mydomain.com
chpass_provider = ipa
ipa_server = _srv_ #our FreeIPA server has DNS SRV entries

[resolv_getsrv_send] (0x0100): Trying to resolve SRV record of 
[resolve_srv_done] (0x0020): SRV query failed: [Domain name not found]
[set_srv_data_status] (0x0100): Marking SRV lookup of service 'IPA' as 'not 
[be_resolve_server_process] (0x0080): Couldn't resolve server (SRV lookup 
meta-server), resolver returned (5)

DNS discovery of IPA server failed, becuase you just configured few hostnames
in /etc/hosts

You can add IP address or hostname to the option ipa_server
     ipa_server = _srv_, vm-120.eurosel.az

BTW In my opinion, it is better to have comment before the optiona and not on
the same line :-)


Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to