On Tue, Jun 21, 2011 at 11:37, Stephen Gallagher <sgall...@redhat.com> wrote: > On Tue, 2011-06-21 at 11:31 -0400, Dan Scott wrote: >> Hi, >> >> On Tue, Jun 21, 2011 at 11:20, Stephen Gallagher <sgall...@redhat.com> wrote: >> > On Tue, 2011-06-21 at 11:06 -0400, Dan Scott wrote: >> >> Hi, >> >> >> >> I'm still running a FreeIPA 1.2 server but have started installing >> >> Fedora 15 clients and am trying to figure out how to manually setup >> >> the Krb/LDAP configuration. >> >> >> >> I've run the 'authconfig-tui' command and manually setup Krb >> >> authentication and LDAP authorisation, using DNS discovery for the >> >> servers. The authentication is working correctly, but when I run 'id >> >> $USERNAME' I don't receive the correct groups, so I believe that >> >> Kerberos is working, but the LDAP configuration is wrong. I've turned >> >> the sssd loglevel up to 100, but I can't figure out why I'm not >> >> getting the correct groups >> >> >> >> My system has a variety of files and I'm not sure which are still in use: >> >> >> >> /etc/krb5.conf >> >> /etc/pam_ldap.conf >> >> /etc/sssd/sssd.conf >> >> >> >> On Fedora 14 and earlier, there used to be an '/etc/nss_ldap.conf' - >> >> this is not present on F15. >> >> >> >> Can anyone help me figure out how to get the group lookups working? >> > >> > >> > Probably you need to add ldap_schema=rfc2307bis into the >> > [domain/default] section of /etc/sssd/sssd.conf. >> > >> > If you just set authconfig up as an LDAP server, it defaults to >> > ldap_schema = rfc2307, which uses a different attribute on the server to >> > contain group memberships. >> >> Thanks, but I've tried both of those entries - it doesn't appear to >> make any difference. >> >> Dan > > > Could you attach your > (sanitized) /etc/sssd/sssd.conf, /etc/krb5.conf, /etc/nsswitch.conf > and /etc/pam.d/system-auth?
Attached, thanks. The only changes are domain names and 'dc=*' entries. One thing that I just noticed, the system-auth file has pam_krb5.so entries, previously, these were pam_sss.so - I've tried using both, but neither appears to work. Thanks, Dan
nsswitch.conf
Description: Binary data
system-auth
Description: Binary data
krb5.conf
Description: Binary data
sssd.conf
Description: Binary data
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users