Fresh ScientificLinux 7.0 install. Initial authconfig is:
authconfig --enablemd5 --enableshadow --disablefingerprint --enableldap --enableldapauth --ldapserver=server1,server2 --ldapbasedn=dc=domain,dc=com --enableldaptls --ldaploadcacert=http://url/ --disablefingerprint
with an extra:
/usr/sbin/authconfig --update --nostart --ldaploadcacert=http://url/
Initial /etc/krb5.conf after main part of ipa-server-install looks good, but when ipa-server-install runs ipa-client-install, which runs:
2015-01-21T20:32:38Z DEBUG args=/usr/sbin/authconfig --enablesssdauth --update --enablesssd
that seems to trash /etc/krb5.conf so that it has entries like:
[libdefaults] default_realm = # [realms] # = { kdc = server.com:88 admin_server = server.com:749 } [domain_realm] # = # .# = #
If I restore /etc/krb5.conf and re-run the above authconfig line, the same bad krb5.conf file is created. Not sure if this is an IPA or authconfig issue.
ipa-server-3.3.3-28.el7_0.3.x86_64 authconfig-6.2.8-8.el7.x86_64
/etc/sssd/sssd.conf:
[domain/default] autofs_provider = ldap cache_credentials = True krb5_realm = #
not sure where the krb5_realm line is coming from.
I think authconfig is the culprit for putting the initial krb5_realm = # in /etc/sssd/sssd.conf: https://bugzilla.redhat.com/show_bug.cgi?id=1184639
Looks like authconfig issue, given it generates sssd.conf. Can you please also post the full ipa-client-install line with all parameters you use?
ipa-client-install
I see the authconfig Bugzilla was acknowledged. I also asked what are the implications on IPA: https://bugzilla.redhat.com/show_bug.cgi?id=1184639#c4
authconfig
If no change is required, I will close this bug.
I did not see any indication that a fix in FreeIPA itself should be needed. So I am closing this bug as the problem is being tracked in authconfig Bugzilla.
Please feel free to reopen if any fix is needed on FreeIPA side.
Metadata Update from @orion: - Issue assigned to someone - Issue set to the milestone: 0.0 NEEDS_TRIAGE
Login to comment on this ticket.