[Authentication] realmd erroneously reports "already joined" if /etc/sssd/sssd.conf is pre-present.

Stef Walter stefw at gnome.org
Thu Nov 19 03:53:25 PST 2015


On 19.11.2015 12:51, Niklas Andersson wrote:
> Well,
> 
>  I want to add support for sudo in ldap for example, and
> ignore_group_members, set some pam stuff. Paste the sssd.conf here below.

When asked to configure sssd (the default) realmd uses sssd.conf as the
authoritative source of 'which domains am I joined to?' information.

I wonder if there's a present-but-disabled setting in sssd.conf that
could be useful in this case?

Stef

> [sssd]
> domains = openforce.org
> config_file_version = 2
> services = nss, pam, ssh, sudo
> 
> [ssh]
> 
> [sudo]
> 
> [pam]
> offline_credentials_expiration = 60
> pam_pwd_expiration_warning = 14
> 
> [nss]
> 
> [domain/openforce.org]
> id_provider = ad
> sudo_provider = ldap
> ignore_group_members = true
> dyndns_update = false
> use_fully_qualified_names = False
> lookup_family_order = ipv4_only
> cache_credentials = True
> fallback_homedir = /home/%u
> create_homedir = True
> override_shell = /bin/bash
> #
> # Sudo
> #
> ldap_uri = ldap://srv11.openforce.org
> ldap_sudo_search_base = ou=SUDOers,dc=openforce,dc=org
> ldap_default_bind_dn = cn=admin,dc=openforce,dc=org
> ldap_default_authtok = secret
> 
> Regards,
> Niklas
> 
> On 19/11/15 12:47, Stephen Gallagher wrote:
>>
>>> On Nov 19, 2015, at 6:35 AM, Niklas Andersson
>>> <niklas.andersson at openforce.se> wrote:
>>>
>>> Hi,
>>>
>>> I just run into an oddity with realmd. It seams that if there already
>>> is a preconfigured /etc/sssd/sssd.conf present, realm will
>>> erroneously report that the client is already joined to a domain.
>>>
>>> The thing is that I want to tweak the sssd.conf for our domain before
>>> sssd is started, and it seems like I can't do that because:
>>>
>>> a) If I pre-configure /etc/sssd/sssd.conf, realm won't join.
>>>
>>> b) If I don't pre-configure realm automatically generates a default
>>> /etc/sssd/sssd.conf and starts the service right after that.
>>>
>>> Is there somehow I can fix this nicely?
>>>
>> Could you specify what tweaks in particular that you are trying to apply?



More information about the Authentication mailing list