Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1114006
Description of problem: When ipa-client is already installed, legacy clients opting to use sssd or nss-pam-ldapd need minor setting for it to function for trusted users. I dint find any changes to be made when nss_ldap is used. # For sssd the last line of the script should restart sssd service [root@hp-ms-01-c40 ~]# ipa-advise config-redhat-sssd-before-1-9 | tail -1 service sssd start # For nss-pam-ldapd authconfig script should run with these options included --disablesssdauth --disablesssd --enableforcelegacy [root@hp-ms-01-c40 ~]# ipa-advise config-redhat-nss-pam-ldapd | tail -2 authconfig --updateall --enableldap --enableldapauth --ldapserver=ldap://hp-ms-01-c40.steeve06171722.test --ldapbasedn=cn=compat,dc=steeve06171722,dc=test The above changes can be made to the existing output of ipa-advise. I dont think it would cause a problem in case where ipa-client is not installed. Or is there a better way for the advise script to detect ipa-client installation and configure the client for trusted users? Version-Release number of selected component (if applicable): ipa-server-3.3.3-28.el7.x86_64 How reproducible: Steps to Reproduce: [root@ibm-x3650m4-02-vm-02 ~]# ipa-client-install Discovery was successful! Hostname: ibm-x3650m4-02.steeve06171722.test Realm: STEEVE06171722.TEST DNS Domain: steeve06171722.test IPA Server: hp-ms-01-c40.steeve06171722.test BaseDN: dc=steeve06171722,dc=test Continue to configure the system with these values? [no]: yes User authorized to enroll computers: admin Synchronizing time with KDC... Unable to sync time with IPA NTP server, assuming the time is in sync. Password for admin@STEEVE06171722.TEST: Enrolled in IPA realm STEEVE06171722.TEST Created /etc/ipa/default.conf New SSSD config will be created. Configured /etc/sssd/sssd.conf Configured /etc/krb5.conf for IPA realm STEEVE06171722.TEST Warning: Hostname (ibm-x3650m4-02.steeve06171722.test) not found in DNS DNS server record set to: ibm-x3650m4-02.steeve06171722.test -> 10.16.40.239 SSSD enabled NTP enabled Client configuration complete. [root@ibm-x3650m4-02-vm-02 ~]# getent passwd admin admin:*:1945600000:1945600000:Administrator:/home/admin:/bin/bash [root@ibm-x3650m4-02-vm-02 ~]# vim advise.sh [root@ibm-x3650m4-02-vm-02 ~]# bash -x advise.sh + yum install -y sssd authconfig wget openssl Loaded plugins: product-id, security, subscription-manager Updating certificate-based repositories. Unable to read consumer identity Setting up Install Process Package sssd-1.8.0-32.el6.x86_64 already installed and latest version Package authconfig-6.1.12-10.el6.x86_64 already installed and latest version Package wget-1.12-1.4.el6.x86_64 already installed and latest version Package openssl-1.0.0-20.el6_2.5.x86_64 already installed and latest version Nothing to do + mkdir -p -m 755 /etc/openldap/cacerts + wget http://hp-ms-01-c40.steeve06171722.test/ipa/config/ca.crt -O /etc/openldap/cacerts/ipa.crt --2014-06-23 12:24:24-- http://hp-ms-01-c40.steeve06171722.test/ipa/config/ca.crt Resolving hp-ms-01-c40.steeve06171722.test... 10.12.27.40 Connecting to hp-ms-01-c40.steeve06171722.test|10.12.27.40|:80... connected. HTTP request sent, awaiting response... 200 OK Length: 2660 (2.6K) [application/x-x509-ca-cert] Saving to: ?/etc/openldap/cacerts/ipa.crt? 100%[========================================================================== =============================================================================== ================>] 2,660 --.-K/s in 0s 2014-06-23 12:24:24 (124 MB/s) - ?/etc/openldap/cacerts/ipa.crt? saved [2660/2660] + command -v cacertdir_rehash /usr/sbin/cacertdir_rehash + '[' 0 -ne 0 ']' + cacertdir_rehash /etc/openldap/cacerts/ + authconfig --updateall --enablesssd --enablesssdauth [ OK ] sssd: [ OK ] + cat + chmod 0600 /etc/sssd/sssd.conf + service sssd start [root@ibm-x3650m4-02-vm-02 ~]# getent passwd admin admin:*:1945600000:1945600000:Administrator:/home/admin:/bin/bash [root@ibm-x3650m4-02-vm-02 ~]# getent passwd aduser1@adtest.qe [root@ibm-x3650m4-02-vm-02 ~]# getent passwd aduser1@adtest.qe [root@ibm-x3650m4-02-vm-02 ~]# service sssd stop ; rm -f /var/lib/sss/db/* Stopping sssd: [ OK ] [root@ibm-x3650m4-02-vm-02 ~]# service sssd start [ OK ] sssd: [ OK ] [root@ibm-x3650m4-02-vm-02 ~]# getent passwd aduser1@adtest.qe aduser1@adtest.qe:*:1148401313:1148401313:ads user:/home/adtest.qe/aduser1: Actual results: Unable to getent adusers and groups on legacy ipa-clients using sssd or nss-pam-ldapd Expected results: Should be able to getent adusers and groups after advise.sh is executed Additional info:
Triage discussion:
We will start documenting the use cases when ipa-advise advises are used (Dmitri). This would help us identify any missing updates in the code.
Turing into Documentation ticket and moving out.
Metadata Update from @mkosek: - Issue assigned to someone - Issue set to the milestone: FreeIPA Documentation
Login to comment on this ticket.