Hi, ipa_domain and ipa_hostname was indeed a config error. Also, using a .local domain caused all manner of problems.
Thanks all for your help! Andrew On 21 October 2013 21:03, Jakub Hrozek <[email protected]> wrote: > On Mon, Oct 21, 2013 at 01:34:17PM -0400, Rob Crittenden wrote: >> Andrew Holway wrote: >> >>It is a bit strange that your ipa_domain and ipa_hostname are the same. I >> >>think the domain should be just local. >> >> >> >>I'd run klist -kt /etc/krb5.keytab to see what principals are in there. >> > >> >ipa_hostname = 192-168-0-110.local >> >ipa_server = _srv_, 192-168-0-100.local >> > >> >Hi, >> > >> >I'm a little confused. They are not the same and these values were >> >created by the "ipa-client-install" utility. >> > >> >I think there is some extra magic needed so that I get get sudo >> >working with ipa...The redhat docs are a little bit lacking for the >> >less advanced... >> > >> >https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Deployment_Guide/sssd-ldap-sudo.html >> >> Sure, but first we need to make sssd talk to IPA at all, which it isn't. >> >> Like I said, it looks like your sssd configuration is wrong. You can >> always un-enroll and re-enroll the client in order to reset things. >> >> rob > > Sorry I didn't notice the sssd keyword until now. > > I think Rob is right, ipa_domain and ipa_hostname being the same seems > wrong. Was this config generated by ipa-client-install at all? > > If you put debug_level=6 into the [domain] section of sssd.conf and > restart the sssd, you'd be able to inspect more verbose debugging in > /var/log/sssd/*.log > > But first I'd try re-enrolling the client as Rob says. You should end up > with a valid sssd.conf > > _______________________________________________ > Freeipa-users mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/freeipa-users _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
