What is the relationship between the IPA server, host-clients and the

>From what I can tell, sssd.conf is edited/changed by the ipa-client-install
process on the host-client.

What level of similarity does there need to be between the two sssd.confs?

My server's sssd.conf has a significant number of extra parameters set that
are not getting put onto the clients.

Debug levels are the most obvious, and understandable, omissions - but some
others are frustrating.

The (non debug_level) parameters missing are:
ignore_group_members = True
ldap_purge_cache_timeout = 0
subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout
selinux_provider = none
ipa_server_mode = True
sudo_provider = ldap
ldap_uri = ldap://vmdv-linuxidm1.unixdev.petermac.org.au
ldap_sudo_search_base = or=sudoers,dc=unixdev,dc=petermac,dc=org,dc=au
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/vmdv-linuxidm1.unixdev.petermac.org.au
ldap_sasl_realm = UNIXDEV.PETERMAC.ORG.AU
krb5_server = vmdv-linuxidm1.unixdev.petermac.org.au

config_file_version = 2
domains = unixdev.etc

memcache_timeout = 600

The other diff is that the

host has: ipa_server = vmdv-linuxidm1.unixdev.petermac.org.au
client has: ipa_server = _srv_, vmdv-linuxidm1.unixdev.petermac.org.au

Which I presume is expected/desired.

And the reason I ask is because we have selinux disabled, and without the
"selinux_provider = none" line, we would get kicked out as soon as freeipa
had logged us in with message:

Connection to test_client.unixdev.petermac.org.au closed by remote host.

and on that host-client there was a brand new selinux_child.log that I'd
never seen before.


The most dangerous phrase in the language is, "We've always done it this

- Grace Hopper
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to