I`ll try such a test setup, then share information about results.
14-Oct-14 15:04, Petr Spacek пишет:
On 14.10.2014 11:49, Orkhan Gasimov wrote:
I suspected that problems could arise with DNS, and here they are...
In fact, this entire string: "ipa_server = _srv_ #our FreeIPA server
SRV entries" was taken as-is from the how-to on FreeBSD forums. First I
commented it out, because was unsure sure if it was appropriate for
setup with just 2 VMs and and a bunch of records in /etc/hosts file.
starting sssd, I could get no IPA data with"getent passwd" or "getent
commands. They I uncommented it and restarted sssd, but things
remained the same.
Now your advice is: "...add IP address or hostname to the option
but you use an arbitrary name like "vm-120.eurosel.az". Could you please
explain which host`s FQDN I should put there? If I use
sssd won`t start (complains about "...Looping detected inside
If it MUST be a DNS server, then everything changes. And the question
becomes: is it possible to set up a test FreeIPA client-server
using only 2 VMs and proper records in /etc/hosts instead of a DNS
one MUST add a third VM and make it a DNS server to facilitate
IPA theoretically can work without DNS records but it requires very
careful configuration on clients and is strongly discouraged.
If you want to do quick & dirty test, do this:
$ ipa-server-install --setup-dns --forwarder <ip address of your
*existing* DNS server>
+ specify IPA domain name which is sub-domain of you existing domain
+ change /etc/resolv.conf on *all* clients to point to IPA server
*This is a dirty trick* and it will not work unless all your clients
has the IPA server in resolv.conf. It will most likely break when you
try to use AD trust with AD clients etc.
*In production environment* you should add NS records for
ipa.eurosel.az domain to the parent DNS zone to create proper
delegation. In that case you don't need to fiddle with resolv.conf on
Let me know if you need further assistance.
14-Oct-14 12:58, Lukas Slebodnik пишет:
On (14/10/14 10:23), Orkhan Gasimov wrote:
Thanks to both of you for the interest.
Here`s the info you asked:
1. Putting "debug_level = 7" either in [domain] or/and [nss]
section of the
/usr/local/etc/sssd/sssd.conf file gives nothing in the log. The
located at /var/log/sssd/sssd.log is only populated with data when
some errors in sssd.conf & sssd process fails to start. But that`s
only if I deliberately introduce some errors; with current
2. My original sssd.conf (without debugs) is as follows (exact copy
was shown in the post at FreeBSD forums):
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = mydomain.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipa1.mydomain.com
chpass_provider = ipa
ipa_server = _srv_ #our FreeIPA server has DNS SRV entries
[resolv_getsrv_send] (0x0100): Trying to resolve SRV record of
[resolve_srv_done] (0x0020): SRV query failed: [Domain name not found]
[set_srv_data_status] (0x0100): Marking SRV lookup of service 'IPA'
[be_resolve_server_process] (0x0080): Couldn't resolve server (SRV
meta-server), resolver returned (5)
DNS discovery of IPA server failed, becuase you just configured few
You can add IP address or hostname to the option ipa_server
ipa_server = _srv_, vm-120.eurosel.az
BTW In my opinion, it is better to have comment before the optiona
and not on
the same line :-)
Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project