On 2/19/11 7:33 AM, "Simo Sorce" <sso...@redhat.com> wrote:
>On Fri, 18 Feb 2011 23:09:21 -0500 >Adam Young <ayo...@redhat.com> wrote: > >> Here's a rough hack. It follows the steps in the test script. I >> tested it out and it works. > >Truly a hack :) More specifically: The script looks like it will functionally address RHEL6 + Fedora 14/15. You'll want to be mindful of systems that need to use nss_ldap.conf due to incompatibility with SSSD. (I believe in RHEL5 ipa-client-install actually configures nss_ldap and not SSSD) The script as it is, will stomp on the contents of the nss_ldap.conf file. > >Just one thing, do not change rc.local, it's wrong, if you really need >to set the NIS domain (what for ?) The domain must be set because the netgroup (and compat pieces of FreeIPA) populate the nisDomain attribute in the nisNetgroupTriple. Thus when sudo does a netgroup look up to verify that the current host is part of a netgroup, it will fail the match because the nisdomain of the client must match that of this nisNetgroupTriple. > then you set it like this: >NISDOMAIN=example.com >in /etc/sysconfig.network There is actually a bug filed against fedora about /etc/sysconfig.network being broken. https://bugzilla.redhat.com/show_bug.cgi?id=665465 (I will be opening another against RHEL through support this morning as the fedora ticket has languished.) It only works if the system is utilizing the NIS Client as a whole (ypbind, portmap, yp.conf) ... Which is completely unnecessary. nss_ldap/sssd provide lookups into ldap for the nisNetgroupTriple required to enumerate net groups in Linux. It only works if the system is utilizing the NIS Client as a whole (ypbind, portmap, yp.conf) ... Which is completely unnecessary. nss_ldap/sssd provide lookups into ldap for the nisNetgroupTriple required to enumerate net groups in Linux. > >Simo. _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel