On Tue, 2011-06-21 at 11:58 -0400, Dan Scott wrote: > On Tue, Jun 21, 2011 at 11:37, Stephen Gallagher <sgall...@redhat.com> wrote: > > On Tue, 2011-06-21 at 11:31 -0400, Dan Scott wrote: > >> Hi, > >> > >> On Tue, Jun 21, 2011 at 11:20, Stephen Gallagher <sgall...@redhat.com> > >> wrote: > >> > On Tue, 2011-06-21 at 11:06 -0400, Dan Scott wrote: > >> >> Hi, > >> >> > >> >> I'm still running a FreeIPA 1.2 server but have started installing > >> >> Fedora 15 clients and am trying to figure out how to manually setup > >> >> the Krb/LDAP configuration. > >> >> > >> >> I've run the 'authconfig-tui' command and manually setup Krb > >> >> authentication and LDAP authorisation, using DNS discovery for the > >> >> servers. The authentication is working correctly, but when I run 'id > >> >> $USERNAME' I don't receive the correct groups, so I believe that > >> >> Kerberos is working, but the LDAP configuration is wrong. I've turned > >> >> the sssd loglevel up to 100, but I can't figure out why I'm not > >> >> getting the correct groups > >> >> > >> >> My system has a variety of files and I'm not sure which are still in > >> >> use: > >> >> > >> >> /etc/krb5.conf > >> >> /etc/pam_ldap.conf > >> >> /etc/sssd/sssd.conf > >> >> > >> >> On Fedora 14 and earlier, there used to be an '/etc/nss_ldap.conf' - > >> >> this is not present on F15. > >> >> > >> >> Can anyone help me figure out how to get the group lookups working? > >> > > >> > > >> > Probably you need to add ldap_schema=rfc2307bis into the > >> > [domain/default] section of /etc/sssd/sssd.conf. > >> > > >> > If you just set authconfig up as an LDAP server, it defaults to > >> > ldap_schema = rfc2307, which uses a different attribute on the server to > >> > contain group memberships. > >> > >> Thanks, but I've tried both of those entries - it doesn't appear to > >> make any difference. > >> > >> Dan > > > > > > Could you attach your > > (sanitized) /etc/sssd/sssd.conf, /etc/krb5.conf, /etc/nsswitch.conf > > and /etc/pam.d/system-auth? > > Attached, thanks. The only changes are domain names and 'dc=*' entries. > > One thing that I just noticed, the system-auth file has pam_krb5.so > entries, previously, these were pam_sss.so - I've tried using both, > but neither appears to work. > > Thanks, > > Dan
Your /etc/nsswitch.conf is wrong. I just noticed that you were using authconfig-tui which is deprecated upstream and does not properly set up SSSD. Only 'authconfig' (command-line) or 'authconfig-gtk' (GUI) works properly. Feel free to file a bug against authconfig. /etc/nsswitch.conf needs to specify 'sss' instead of 'ldap' to use SSSD. Similarly system-auth needs to use pam_sss.so, not pam_krb5.so. If you run 'authconfig --enablesssd --enablesssdauth --update' you should be fine. This will update the config files with the correct SSSD-related settings.
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users