[Authentication] realmd erroneously reports "already joined" if /etc/sssd/sssd.conf is pre-present.

Stephen Gallagher sgallagh at redhat.com
Thu Nov 19 04:06:25 PST 2015 


> On Nov 19, 2015, at 7:01 AM, Stef Walter <stefw at gnome.org> wrote:
> 
>> On 19.11.2015 12:51, Niklas Andersson wrote:
>> Well,
>> 
>> I want to add support for sudo in ldap for example, and
>> ignore_group_members, set some pam stuff. Paste the sssd.conf here below.
> 
> When asked to configure sssd (the default) realmd uses sssd.conf as the
> authoritative source of 'which domains am I joined to?' information.
> 
> I wonder if there's a present-but-disabled setting in sssd.conf that
> could be useful in this case?
> 

The domains= line in the [SSSD] section is the authoritative list of enabled domains. All other domain sections are ignored.



> Stef
> 
>> [sssd]
>> domains = openforce.org
>> config_file_version = 2
>> services = nss, pam, ssh, sudo
>> 
>> [ssh]
>> 
>> [sudo]
>> 
>> [pam]
>> offline_credentials_expiration = 60
>> pam_pwd_expiration_warning = 14
>> 
>> [nss]
>> 
>> [domain/openforce.org]
>> id_provider = ad
>> sudo_provider = ldap
>> ignore_group_members = true
>> dyndns_update = false
>> use_fully_qualified_names = False
>> lookup_family_order = ipv4_only
>> cache_credentials = True
>> fallback_homedir = /home/%u
>> create_homedir = True
>> override_shell = /bin/bash
>> #
>> # Sudo
>> #
>> ldap_uri = ldap://srv11.openforce.org
>> ldap_sudo_search_base = ou=SUDOers,dc=openforce,dc=org
>> ldap_default_bind_dn = cn=admin,dc=openforce,dc=org
>> ldap_default_authtok = secret
>> 
>> Regards,
>> Niklas
>> 
>>> On 19/11/15 12:47, Stephen Gallagher wrote:
>>> 
>>>> On Nov 19, 2015, at 6:35 AM, Niklas Andersson
>>>> <niklas.andersson at openforce.se> wrote:
>>>> 
>>>> Hi,
>>>> 
>>>> I just run into an oddity with realmd. It seams that if there already
>>>> is a preconfigured /etc/sssd/sssd.conf present, realm will
>>>> erroneously report that the client is already joined to a domain.
>>>> 
>>>> The thing is that I want to tweak the sssd.conf for our domain before
>>>> sssd is started, and it seems like I can't do that because:
>>>> 
>>>> a) If I pre-configure /etc/sssd/sssd.conf, realm won't join.
>>>> 
>>>> b) If I don't pre-configure realm automatically generates a default
>>>> /etc/sssd/sssd.conf and starts the service right after that.
>>>> 
>>>> Is there somehow I can fix this nicely?
>>>> 
>>> Could you specify what tweaks in particular that you are trying to apply?
> 
> _______________________________________________
> Authentication mailing list
> Authentication at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/authentication

More information about the Authentication mailing list