On Tue, Jun 21, 2011 at 14:19, Stephen Gallagher <sgall...@redhat.com> wrote: > On Tue, 2011-06-21 at 11:58 -0400, Dan Scott wrote: >> On Tue, Jun 21, 2011 at 11:37, Stephen Gallagher <sgall...@redhat.com> wrote: >> > On Tue, 2011-06-21 at 11:31 -0400, Dan Scott wrote: >> >> Hi, >> >> >> >> On Tue, Jun 21, 2011 at 11:20, Stephen Gallagher <sgall...@redhat.com> >> >> wrote: >> >> > On Tue, 2011-06-21 at 11:06 -0400, Dan Scott wrote: >> >> >> Hi, >> >> >> >> >> >> I'm still running a FreeIPA 1.2 server but have started installing >> >> >> Fedora 15 clients and am trying to figure out how to manually setup >> >> >> the Krb/LDAP configuration. >> >> >> >> >> >> I've run the 'authconfig-tui' command and manually setup Krb >> >> >> authentication and LDAP authorisation, using DNS discovery for the >> >> >> servers. The authentication is working correctly, but when I run 'id >> >> >> $USERNAME' I don't receive the correct groups, so I believe that >> >> >> Kerberos is working, but the LDAP configuration is wrong. I've turned >> >> >> the sssd loglevel up to 100, but I can't figure out why I'm not >> >> >> getting the correct groups >> >> >> >> >> >> My system has a variety of files and I'm not sure which are still in >> >> >> use: >> >> >> >> >> >> /etc/krb5.conf >> >> >> /etc/pam_ldap.conf >> >> >> /etc/sssd/sssd.conf >> >> >> >> >> >> On Fedora 14 and earlier, there used to be an '/etc/nss_ldap.conf' - >> >> >> this is not present on F15. >> >> >> >> >> >> Can anyone help me figure out how to get the group lookups working? >> >> > >> >> > >> >> > Probably you need to add ldap_schema=rfc2307bis into the >> >> > [domain/default] section of /etc/sssd/sssd.conf. >> >> > >> >> > If you just set authconfig up as an LDAP server, it defaults to >> >> > ldap_schema = rfc2307, which uses a different attribute on the server to >> >> > contain group memberships. >> >> >> >> Thanks, but I've tried both of those entries - it doesn't appear to >> >> make any difference. >> >> >> >> Dan >> > >> > >> > Could you attach your >> > (sanitized) /etc/sssd/sssd.conf, /etc/krb5.conf, /etc/nsswitch.conf >> > and /etc/pam.d/system-auth? >> >> Attached, thanks. The only changes are domain names and 'dc=*' entries. >> >> One thing that I just noticed, the system-auth file has pam_krb5.so >> entries, previously, these were pam_sss.so - I've tried using both, >> but neither appears to work. >> >> Thanks, >> >> Dan > > > Your /etc/nsswitch.conf is wrong. I just noticed that you were using > authconfig-tui which is deprecated upstream and does not properly set up > SSSD. Only 'authconfig' (command-line) or 'authconfig-gtk' (GUI) works > properly. Feel free to file a bug against authconfig. > > /etc/nsswitch.conf needs to specify 'sss' instead of 'ldap' to use SSSD. > Similarly system-auth needs to use pam_sss.so, not pam_krb5.so. > > If you run 'authconfig --enablesssd --enablesssdauth --update' you > should be fine. This will update the config files with the correct > SSSD-related settings.
Excellent! Thanks - that makes much more sense. I've been using authconfig-tui all this time and had no idea that it was doing things incorrectly. One small issue that I found, if I switch on the "Use DNS to resolve hosts to realms" option, then the krb5_realm (in sssd.conf) and default_realm (in krb5.conf) are removed and my authentication fails. I'm pretty sure that I have DNS correctly configured (_kerberos IN TXT EXAMPLE.COM). Does the sssd client look for different DNS records for realm discovery? Thanks for your help, Dan _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users