Hola, What is the relationship between the IPA server, host-clients and the sssd.conf?
>From what I can tell, sssd.conf is edited/changed by the ipa-client-install process on the host-client. What level of similarity does there need to be between the two sssd.confs? My server's sssd.conf has a significant number of extra parameters set that are not getting put onto the clients. Debug levels are the most obvious, and understandable, omissions - but some others are frustrating. The (non debug_level) parameters missing are: ---------------------- [domain/unixdev.etc] ignore_group_members = True ldap_purge_cache_timeout = 0 subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout selinux_provider = none ipa_server_mode = True sudo_provider = ldap ldap_uri = ldap://vmdv-linuxidm1.unixdev.petermac.org.au ldap_sudo_search_base = or=sudoers,dc=unixdev,dc=petermac,dc=org,dc=au ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/vmdv-linuxidm1.unixdev.petermac.org.au ldap_sasl_realm = UNIXDEV.PETERMAC.ORG.AU krb5_server = vmdv-linuxidm1.unixdev.petermac.org.au [sssd] config_file_version = 2 domains = unixdev.etc [nss] memcache_timeout = 600 ---------------------- The other diff is that the host has: ipa_server = vmdv-linuxidm1.unixdev.petermac.org.au client has: ipa_server = _srv_, vmdv-linuxidm1.unixdev.petermac.org.au Which I presume is expected/desired. And the reason I ask is because we have selinux disabled, and without the "selinux_provider = none" line, we would get kicked out as soon as freeipa had logged us in with message: Connection to test_client.unixdev.petermac.org.au closed by remote host. and on that host-client there was a brand new selinux_child.log that I'd never seen before. cheers L. ------ The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project