[Authentication] realmd erroneously reports "already joined" if /etc/sssd/sssd.conf is pre-present.

Niklas Andersson niklas.andersson at openforce.se
Thu Nov 19 04:19:41 PST 2015


Hi Stef,

  Well, yes. At least the join started when I commented out the #domains 
, but then I got this error during the join:

  ! Failed to enroll machine in realm: Already have domain openforce.org 
in sssd.conf config file.

  Being able to not start sssd per default (as an option perhaps), would 
solve the problem, because that would give the admin some time to 
customize sssd.conf before service is started.

Regards,
Niklas




On 19/11/15 13:09, Stef Walter wrote:
> On 19.11.2015 13:06, Stephen Gallagher wrote:
>>
>>> On Nov 19, 2015, at 7:01 AM, Stef Walter <stefw at gnome.org> wrote:
>>>
>>>> On 19.11.2015 12:51, Niklas Andersson wrote: Well,
>>>>
>>>> I want to add support for sudo in ldap for example, and
>>>> ignore_group_members, set some pam stuff. Paste the sssd.conf
>>>> here below.
>>> When asked to configure sssd (the default) realmd uses sssd.conf as
>>> the authoritative source of 'which domains am I joined to?'
>>> information.
>>>
>>> I wonder if there's a present-but-disabled setting in sssd.conf
>>> that could be useful in this case?
>>>
>> The domains= line in the [SSSD] section is the authoritative list of
>> enabled domains. All other domain sections are ignored.
> Niklas, does it work to include the new appropriately named section, but
> leave the domain name out of the domains= line? Will realmd then update
> the domains line, and further populate the [openforce.org] section?
>
> Stef
>
>>> Stef
>>>
>>>> [sssd] domains = openforce.org config_file_version = 2 services =
>>>> nss, pam, ssh, sudo
>>>>
>>>> [ssh]
>>>>
>>>> [sudo]
>>>>
>>>> [pam] offline_credentials_expiration = 60
>>>> pam_pwd_expiration_warning = 14
>>>>
>>>> [nss]
>>>>
>>>> [domain/openforce.org] id_provider = ad sudo_provider = ldap
>>>> ignore_group_members = true dyndns_update = false
>>>> use_fully_qualified_names = False lookup_family_order =
>>>> ipv4_only cache_credentials = True fallback_homedir = /home/%u
>>>> create_homedir = True override_shell = /bin/bash # # Sudo #
>>>> ldap_uri = ldap://srv11.openforce.org ldap_sudo_search_base =
>>>> ou=SUDOers,dc=openforce,dc=org ldap_default_bind_dn =
>>>> cn=admin,dc=openforce,dc=org ldap_default_authtok = secret
>>>>
>>>> Regards, Niklas
>>>>
>>>>> On 19/11/15 12:47, Stephen Gallagher wrote:
>>>>>
>>>>>> On Nov 19, 2015, at 6:35 AM, Niklas Andersson
>>>>>> <niklas.andersson at openforce.se> wrote:
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I just run into an oddity with realmd. It seams that if there
>>>>>> already is a preconfigured /etc/sssd/sssd.conf present, realm
>>>>>> will erroneously report that the client is already joined to
>>>>>> a domain.
>>>>>>
>>>>>> The thing is that I want to tweak the sssd.conf for our
>>>>>> domain before sssd is started, and it seems like I can't do
>>>>>> that because:
>>>>>>
>>>>>> a) If I pre-configure /etc/sssd/sssd.conf, realm won't join.
>>>>>>
>>>>>> b) If I don't pre-configure realm automatically generates a
>>>>>> default /etc/sssd/sssd.conf and starts the service right
>>>>>> after that.
>>>>>>
>>>>>> Is there somehow I can fix this nicely?
>>>>>>
>>>>> Could you specify what tweaks in particular that you are trying
>>>>> to apply?
>>> _______________________________________________ Authentication
>>> mailing list Authentication at lists.freedesktop.org
>>> http://lists.freedesktop.org/mailman/listinfo/authentication
>> _______________________________________________ Authentication
>> mailing list Authentication at lists.freedesktop.org
>> http://lists.freedesktop.org/mailman/listinfo/authentication
>>
> _______________________________________________
> Authentication mailing list
> Authentication at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/authentication



More information about the Authentication mailing list