On Fri, Mar 03, 2017 at 08:45:10AM +0100, Harald Dunkel wrote:
> Hi folks,
> 
> running freeipa client 4.3.2-5 and sssd 1.15.0-3 on
> Debian Stretch
  ~~~~~~~~~~~~~~
This is important I guess.

Since SSSD 1.15, SSSD allows to socket-activate the services, so it is
no longer required to have them explicitly listed in the services line
of the sssd section. But:
    - there were some nasty bugs in the first version of the socket
      activation. We will be releasing 1.15.1 today to address those
      issues
    - the sockets must be enabled (systemctl status sssd-nss.socket). I
      understand Debian is doing this but I'm neither Debian user nor
      developer. I would suggest to ask on some Debian-specific forum or
      file a bug report if the resulting configurationd doesn't work.

> ipa-client-install creates a bad sssd.conf file, e.g.
> 
>       [domain/example.com]
> 
>       cache_credentials = True
>       krb5_store_password_if_offline = True
>       ipa_domain = example.com
>       id_provider = ipa
>       auth_provider = ipa
>       access_provider = ipa
>       ldap_tls_cacert = /etc/ipa/ca.crt
>       ipa_hostname = stretch1.vs.example.com
>       chpass_provider = ipa
>       ipa_server = _srv_, ipa1.example.com
>       dns_discovery_domain = example.com
>       [sssd]
>       domains = example.com
>       services = sudo

btw I find it strange that sudo is listed. I would expect either all or
no services to be listed. The feature is backwards-compatible, so if you
list the services explicitly, the sssd process would still start them
explicitly, just as it did with previous versions.

>       [sudo]
> 
> 
> Esp. the services for nss, pam and ssh are not setup. Is this
> as expected?
> 
> 
> Every helpful comment is highly appreciated.
> Harri
> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to