On Fri, Mar 03, 2017 at 08:45:10AM +0100, Harald Dunkel wrote:
> Hi folks,
> running freeipa client 4.3.2-5 and sssd 1.15.0-3 on
> Debian Stretch
This is important I guess.
Since SSSD 1.15, SSSD allows to socket-activate the services, so it is
no longer required to have them explicitly listed in the services line
of the sssd section. But:
- there were some nasty bugs in the first version of the socket
activation. We will be releasing 1.15.1 today to address those
- the sockets must be enabled (systemctl status sssd-nss.socket). I
understand Debian is doing this but I'm neither Debian user nor
developer. I would suggest to ask on some Debian-specific forum or
file a bug report if the resulting configurationd doesn't work.
> ipa-client-install creates a bad sssd.conf file, e.g.
> cache_credentials = True
> krb5_store_password_if_offline = True
> ipa_domain = example.com
> id_provider = ipa
> auth_provider = ipa
> access_provider = ipa
> ldap_tls_cacert = /etc/ipa/ca.crt
> ipa_hostname = stretch1.vs.example.com
> chpass_provider = ipa
> ipa_server = _srv_, ipa1.example.com
> dns_discovery_domain = example.com
> domains = example.com
> services = sudo
btw I find it strange that sudo is listed. I would expect either all or
no services to be listed. The feature is backwards-compatible, so if you
list the services explicitly, the sssd process would still start them
explicitly, just as it did with previous versions.
> Esp. the services for nss, pam and ssh are not setup. Is this
> as expected?
> Every helpful comment is highly appreciated.
> Manage your subscription for the Freeipa-users mailing list:
> Go to http://freeipa.org for more info on the project
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project