On Fri, Mar 03, 2017 at 08:45:10AM +0100, Harald Dunkel wrote: > Hi folks, > > running freeipa client 4.3.2-5 and sssd 1.15.0-3 on > Debian Stretch ~~~~~~~~~~~~~~ This is important I guess.
Since SSSD 1.15, SSSD allows to socket-activate the services, so it is no longer required to have them explicitly listed in the services line of the sssd section. But: - there were some nasty bugs in the first version of the socket activation. We will be releasing 1.15.1 today to address those issues - the sockets must be enabled (systemctl status sssd-nss.socket). I understand Debian is doing this but I'm neither Debian user nor developer. I would suggest to ask on some Debian-specific forum or file a bug report if the resulting configurationd doesn't work. > ipa-client-install creates a bad sssd.conf file, e.g. > > [domain/example.com] > > cache_credentials = True > krb5_store_password_if_offline = True > ipa_domain = example.com > id_provider = ipa > auth_provider = ipa > access_provider = ipa > ldap_tls_cacert = /etc/ipa/ca.crt > ipa_hostname = stretch1.vs.example.com > chpass_provider = ipa > ipa_server = _srv_, ipa1.example.com > dns_discovery_domain = example.com > [sssd] > domains = example.com > services = sudo btw I find it strange that sudo is listed. I would expect either all or no services to be listed. The feature is backwards-compatible, so if you list the services explicitly, the sssd process would still start them explicitly, just as it did with previous versions. > [sudo] > > > Esp. the services for nss, pam and ssh are not setup. Is this > as expected? > > > Every helpful comment is highly appreciated. > Harri > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project