[Freeipa-users] sssd issues
Dmitri Pal
dpal at redhat.com
Tue Aug 16 16:43:10 UTC 2011
On 08/16/2011 12:34 PM, Dmitri Pal wrote:
> On 08/16/2011 10:29 AM, Jakub Hrozek wrote:
>> On Tue, Aug 16, 2011 at 03:56:48PM +0200, Ondrej Valousek wrote:
>>> Hi list,
>>> Ok here is the list of issues I discovered while configuring sssd against Win2008 AD & rfc2307bis schema:
>>> 1. If I specify both dns_discovery_domain and ldap_uri parameters
>>> then what happens is that dns srv discovery returns a list of ldap
>>> servers. Now if the first one found is not working, others are not
>>> tried. I have to comment out the 'ldap_uri' parameter to make it
>>> working correctly.
>> Can you paste how exactly the ldap_uri line looks? I presume you would
>> like to try the service discovery first and if that fails, fall back to
>> a hardcoded hostname. In that case, ldap_uri should say:
>>
>> ldap_uri = _srv_, adserver.example.com
>>
>> That should work.
>>
>>> 2. SSSD is unable to detect default Kerberos realm as per /etc/krb5.conf - I have to configure it manually
>>>
>>> 3. Why do we actually need to specify Kerberos realm and KDC? Isn't /etc/krb5.conf supposed to record these kind of parameters?
>> I think this has both historical (we used to say you don't need
>> /etc/krb5.conf at all with SSSD) and practical reasons - there can be more
>> SSSD domains with different realms and KDCs at the same time.
>>
>>> 4. authconfig is unable to configure sssd to use IPA backend provider
>>>
>> This was supposedly done to avoid people using authconfig-gtk to
>> configure clients against IPAv1, but I don't remember the exact reason.
> Historically when the authconfig design was done there was no released
> IPA product of the v2 level in Fedora or RHEL.
> I thought 6.1 authconfig was enhance to configure sssd but AFAIR
> Kerberos and LDAP not IPA. If this is the case we need to file an ER.
Checked...
I do not see any ERs for authconfig to support IPA back end.
I have opened one:
https://bugzilla.redhat.com/show_bug.cgi?id=731094
and also added a tracking ticket on our side:
https://fedorahosted.org/sssd/ticket/969
>> Maybe someone else does?
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-users
mailing list