My bad. I probably did a second ipa-clien-install without the proper --unistall before.
I've messed up clients like that before ...
Okay looking at my servers.... DNS records:
_kerberos TXT REALMNAME (eg EXAMPLE.COM) _kerberos-master._tcp SRV 0 100 88 ipa01 _kerberos-master._udp SRV 0 100 88 ipa01 _kerberos._tcp SRV 0 100 88 ipa01 _kerberos._udp SRV 0 100 88 ipa01 _kpasswd._tcp SRV 0 100 464 ipa01 _kpasswd._udp SRV 0 100 464 ipa01 _ldap._tcp SRV 0 100 389 ipa01 _ntp._udp SRV 0 100 123 ipa01
Those are all the SRV records...
My sssd.conf looks like:
[domain/example.com]
cache_credentials = True krb5_store_password_if_offline = True krb5_realm = EXAMPLE.COM ipa_domain = example.com id_provider = ipa auth_provider = ipa access_provider = ipa chpass_provider = ipa ipa_dyndns_update = True ipa_server = _srv_, ipa01.example.com ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, pam, ssh config_file_version = 2
domains = example.com [nss]
[pam]
[sudo]
[autofs]
[ssh]
This has been upgraded over time a bit and so on ... you might want to try out libsss_sudo rather than ldap based sudo in EL6.4 for example (add sudo to services and sss to nsswitch in a sudoers: files sss line for example).
Hope that helps out a bit!
I saw you post on freeipa-users ... they are a good bunch there and will hopefully sort any remaining issues you have.