On (20/09/16 15:06), Lachlan Musicman wrote: >Hola, > >What is the relationship between the IPA server, host-clients and the >sssd.conf? > >>From what I can tell, sssd.conf is edited/changed by the ipa-client-install >process on the host-client. > >What level of similarity does there need to be between the two sssd.confs? > >My server's sssd.conf has a significant number of extra parameters set that >are not getting put onto the clients. > >Debug levels are the most obvious, and understandable, omissions - but some >others are frustrating. > >The (non debug_level) parameters missing are: >---------------------- >[domain/unixdev.etc] >ignore_group_members = True It was probably set as a result of performance tuning.
>ldap_purge_cache_timeout = 0 That's default since 1.13.0 >subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout that's specific option for sssd on IPA server >selinux_provider = none It was probably set as a workaround of bug which have been already fixed. >ipa_server_mode = True that's specific option for sssd on IPA server >sudo_provider = ldap >ldap_uri = ldap://vmdv-linuxidm1.unixdev.petermac.org.au >ldap_sudo_search_base = or=sudoers,dc=unixdev,dc=petermac,dc=org,dc=au >ldap_sasl_mech = GSSAPI >ldap_sasl_authid = host/vmdv-linuxidm1.unixdev.petermac.org.au >ldap_sasl_realm = UNIXDEV.PETERMAC.ORG.AU >krb5_server = vmdv-linuxidm1.unixdev.petermac.org.au Previous 7 options are not required since sssd-1.10 > >[sssd] >config_file_version = 2 >domains = unixdev.etc > >[nss] >memcache_timeout = 600 This option is se by ipa-*-install on ipa server mode. >---------------------- > >The other diff is that the > >host has: ipa_server = vmdv-linuxidm1.unixdev.petermac.org.au >client has: ipa_server = _srv_, vmdv-linuxidm1.unixdev.petermac.org.au > >Which I presume is expected/desired. > >And the reason I ask is because we have selinux disabled, and without the Do you eman disabled or permissive? BTW freeIPA works well with SELinux in enforcing mode >"selinux_provider = none" line, we would get kicked out as soon as freeipa >had logged us in with message: > disabled SELinux should not affected authentication; but I didn't test that. >Connection to test_client.unixdev.petermac.org.au closed by remote host. > >and on that host-client there was a brand new selinux_child.log that I'd >never seen before. > LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project