On 14/03/16 12:21, Alexander Bokovoy wrote:
On Mon, 14 Mar 2016, Jan Pazdziora wrote:
On Sun, Mar 13, 2016 at 03:34:27PM +0200, Alexander
Bokovoy wrote:
On Sun, 13 Mar 2016, lejeczek wrote:
>IPA install process configured in sssd.conf:
>[domain/new.Domain]
>cache_credentials = True
>krb5_store_password_if_offline = True
>ipa_domain = newDomain
>id_provider = ipa
>...
>...
>[domain/default] # < this is ldap that existed before,
kbr5 related
>options are new additions
>autofs_provider = ldap
>cache_credentials = True
>krb5_realm = new.Domain
>ldap_search_base = dc=old,dc=domain
>id_provider = ldap
>krb5_server = a.host
>
>[sssd]
>services = nss, sudo, pam, autofs, ssh
>config_file_version = 2
>domains =new.Domain
>
>so here I wonder, what's the meaning of kbr5 related
options and why
>install process put it into default domain which it did
not include later
>in sssd section.
FreeIPA installer doesn't touch 'default' domain section
at all. It
always operates on the section named 'domain/<domain
name>'.
Actually, that does not seem what I experience.
On RHEL 6.7 and RHEL 7.2, I've tried to start with sssd.conf
containing
[domain/default]
autofs_provider = ldap
cache_credentials = True
ldap_search_base = dc=old,dc=domain
id_provider = ldap
I tried ipa-server-install and I tried
ipa-client-install. In both
cases, the resulting sssd.conf had the [domain/default]
section
removed. So something in the process seems to care about
that section
-- maybe not the installer, maybe authconfig or something
else.
If sssd.conf exists, IPA installer (ipa-client-install)
will back the
file up. If there is a clash in config, it will start a
fresh because
you anyway have a backup copy.
On the other hand, I was not able to reproduce the chaneg
to the
content of the domain/default section that lejeczek
reports. I guess
we will need more detailed steps to reproduce, including
the exact
original sssd.conf and versions of relevant packages.
I suspect somebody ran authconfig separately to configure
some options
and it ruined sssd.conf.
yes, I've asked around and it's quite probably someone
before tried/used non-IPA kerberos before.
One thing to me looks like a certain - if krb5_realm & &
krb5_server (or at least krb5_realm) installer (in my case
left it there in /default)
I guess a quick test would be to put krb5_realm is sssd.conf
default and try, I'll do that once I've set up some VMs.
Also my ldap_search_base = dc=old,dc=domain was different
from FQDN/realm which during, for the installation was
new.quite.different.domain.local - in case it mattered.
Most important is that both params are now in the newly (IPA
created) section, thought just yet I did notice anything, it
seemed ok before and it does so now.
many thanks getns
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
