Re: [Freeipa-users] sssd.conf - the server and host-client relationship
On (22/09/16 08:53), Lachlan Musicman wrote: >My translations of your comments are in line, if you could correct, I'd >appreciate that. > >On 20 September 2016 at 17:11, Lukas Slebodnik wrote: > >> >-- >> >[domain/unixdev.etc] >> >ignore_group_members = True >> It was probably set as a result of performance tuning. >> >> >ldap_purge_cache_timeout = 0 >> That's default since 1.13.0 >> >> >subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout >> that's specific option for sssd on IPA server >> > > >I presume your comment suggests ignore_group_members is no longer needed, >and since the lpct=0 is now default, then subdomain_inherit is also >superfluous? > I have no idea why the option ignore_group_members was set. My assumption is that you wanted to reduce loading data from IPA/AD because they were many members in groups and it was slow. > > >> >selinux_provider = none >> It was probably set as a workaround of bug which have been already >> fixed. >> > >We set this because of an error in libsemanage, but I think that was an >upstream (selinux) issue? >https://www.redhat.com/archives/freeipa-users/2016-July/msg00244.html > >Not sure if I should disable just yet - was this fixed? It should be fixed if not file a bug. >> >> >ipa_server_mode = True >> that's specific option for sssd on IPA server >> >> >I take it that this means it's still used. > yes, but it is used only on in sssd which is on IPA server. > >> >sudo_provider = ldap >> >ldap_uri = ldap://vmdv-linuxidm1.unixdev.petermac.org.au >> >ldap_sudo_search_base = or=sudoers,dc=unixdev,dc=petermac,dc=org,dc=au >> >ldap_sasl_mech = GSSAPI >> >ldap_sasl_authid = host/vmdv-linuxidm1.unixdev.petermac.org.au >> >ldap_sasl_realm = UNIXDEV.PETERMAC.ORG.AU >> >krb5_server = vmdv-linuxidm1.unixdev.petermac.org.au >> Previous 7 options are not required since sssd-1.10 >> > >Yep, I added those because of disconnect between the different info sources >made it hard to tell what was canonical, so I followed the red hat guide: > >https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sssd-ldap-sudo.html > >mostly because I didn't quite understand the sssd-sudo man page (because >sometimes I find man pages obtuse), but also there was an inconsistency >with the local man page and the die.net mirror >https://linux.die.net/man/5/sssd-sudo and this howto >https://blog-rcritten.rhcloud.com/?p=52 > The best is to check version of man page sssd-sudo on the machine But as I wrote "sudo_provider = ldap" is not required for ipa client since sssd-1.10 and most of current distributions has newer version of sssd. LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] sssd.conf - the server and host-client relationship
My translations of your comments are in line, if you could correct, I'd appreciate that. On 20 September 2016 at 17:11, Lukas Slebodnik wrote: > >-- > >[domain/unixdev.etc] > >ignore_group_members = True > It was probably set as a result of performance tuning. > > >ldap_purge_cache_timeout = 0 > That's default since 1.13.0 > > >subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout > that's specific option for sssd on IPA server > I presume your comment suggests ignore_group_members is no longer needed, and since the lpct=0 is now default, then subdomain_inherit is also superfluous? > >selinux_provider = none > It was probably set as a workaround of bug which have been already > fixed. > We set this because of an error in libsemanage, but I think that was an upstream (selinux) issue? https://www.redhat.com/archives/freeipa-users/2016-July/msg00244.html Not sure if I should disable just yet - was this fixed? > > >ipa_server_mode = True > that's specific option for sssd on IPA server > > I take it that this means it's still used. > >sudo_provider = ldap > >ldap_uri = ldap://vmdv-linuxidm1.unixdev.petermac.org.au > >ldap_sudo_search_base = or=sudoers,dc=unixdev,dc=petermac,dc=org,dc=au > >ldap_sasl_mech = GSSAPI > >ldap_sasl_authid = host/vmdv-linuxidm1.unixdev.petermac.org.au > >ldap_sasl_realm = UNIXDEV.PETERMAC.ORG.AU > >krb5_server = vmdv-linuxidm1.unixdev.petermac.org.au > Previous 7 options are not required since sssd-1.10 > Yep, I added those because of disconnect between the different info sources made it hard to tell what was canonical, so I followed the red hat guide: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sssd-ldap-sudo.html mostly because I didn't quite understand the sssd-sudo man page (because sometimes I find man pages obtuse), but also there was an inconsistency with the local man page and the die.net mirror https://linux.die.net/man/5/sssd-sudo and this howto https://blog-rcritten.rhcloud.com/?p=52 > > > >[sssd] > >config_file_version = 2 > >domains = unixdev.etc > > > >[nss] > >memcache_timeout = 600 > This option is se by ipa-*-install on ipa server mode. > These I will leave. Cheers L. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] sssd.conf - the server and host-client relationship
On (20/09/16 15:06), Lachlan Musicman wrote: >Hola, > >What is the relationship between the IPA server, host-clients and the >sssd.conf? > >>From what I can tell, sssd.conf is edited/changed by the ipa-client-install >process on the host-client. > >What level of similarity does there need to be between the two sssd.confs? > >My server's sssd.conf has a significant number of extra parameters set that >are not getting put onto the clients. > >Debug levels are the most obvious, and understandable, omissions - but some >others are frustrating. > >The (non debug_level) parameters missing are: >-- >[domain/unixdev.etc] >ignore_group_members = True It was probably set as a result of performance tuning. >ldap_purge_cache_timeout = 0 That's default since 1.13.0 >subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout that's specific option for sssd on IPA server >selinux_provider = none It was probably set as a workaround of bug which have been already fixed. >ipa_server_mode = True that's specific option for sssd on IPA server >sudo_provider = ldap >ldap_uri = ldap://vmdv-linuxidm1.unixdev.petermac.org.au >ldap_sudo_search_base = or=sudoers,dc=unixdev,dc=petermac,dc=org,dc=au >ldap_sasl_mech = GSSAPI >ldap_sasl_authid = host/vmdv-linuxidm1.unixdev.petermac.org.au >ldap_sasl_realm = UNIXDEV.PETERMAC.ORG.AU >krb5_server = vmdv-linuxidm1.unixdev.petermac.org.au Previous 7 options are not required since sssd-1.10 > >[sssd] >config_file_version = 2 >domains = unixdev.etc > >[nss] >memcache_timeout = 600 This option is se by ipa-*-install on ipa server mode. >-- > >The other diff is that the > >host has: ipa_server = vmdv-linuxidm1.unixdev.petermac.org.au >client has: ipa_server = _srv_, vmdv-linuxidm1.unixdev.petermac.org.au > >Which I presume is expected/desired. > >And the reason I ask is because we have selinux disabled, and without the Do you eman disabled or permissive? BTW freeIPA works well with SELinux in enforcing mode >"selinux_provider = none" line, we would get kicked out as soon as freeipa >had logged us in with message: > disabled SELinux should not affected authentication; but I didn't test that. >Connection to test_client.unixdev.petermac.org.au closed by remote host. > >and on that host-client there was a brand new selinux_child.log that I'd >never seen before. > LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] sssd.conf - the server and host-client relationship
Hola, What is the relationship between the IPA server, host-clients and the sssd.conf? >From what I can tell, sssd.conf is edited/changed by the ipa-client-install process on the host-client. What level of similarity does there need to be between the two sssd.confs? My server's sssd.conf has a significant number of extra parameters set that are not getting put onto the clients. Debug levels are the most obvious, and understandable, omissions - but some others are frustrating. The (non debug_level) parameters missing are: -- [domain/unixdev.etc] ignore_group_members = True ldap_purge_cache_timeout = 0 subdomain_inherit = ignore_group_members, ldap_purge_cache_timeout selinux_provider = none ipa_server_mode = True sudo_provider = ldap ldap_uri = ldap://vmdv-linuxidm1.unixdev.petermac.org.au ldap_sudo_search_base = or=sudoers,dc=unixdev,dc=petermac,dc=org,dc=au ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/vmdv-linuxidm1.unixdev.petermac.org.au ldap_sasl_realm = UNIXDEV.PETERMAC.ORG.AU krb5_server = vmdv-linuxidm1.unixdev.petermac.org.au [sssd] config_file_version = 2 domains = unixdev.etc [nss] memcache_timeout = 600 -- The other diff is that the host has: ipa_server = vmdv-linuxidm1.unixdev.petermac.org.au client has: ipa_server = _srv_, vmdv-linuxidm1.unixdev.petermac.org.au Which I presume is expected/desired. And the reason I ask is because we have selinux disabled, and without the "selinux_provider = none" line, we would get kicked out as soon as freeipa had logged us in with message: Connection to test_client.unixdev.petermac.org.au closed by remote host. and on that host-client there was a brand new selinux_child.log that I'd never seen before. cheers L. -- The most dangerous phrase in the language is, "We've always done it this way." - Grace Hopper -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project