[CentOS] IPA Client Install

Fri Jun 14 08:01:04 UTC 2013
James Hogarth <james.hogarth at gmail.com>

>
>
> My bad.  I probably did a second ipa-clien-install without the proper
> --unistall before.
>
>
>
I've messed up clients like that before ...

Okay looking at my servers.... DNS records:

_kerberos TXT REALMNAME (eg EXAMPLE.COM)
_kerberos-master._tcp SRV 0 100 88 ipa01
_kerberos-master._udp SRV 0 100 88 ipa01
_kerberos._tcp SRV 0 100 88 ipa01
_kerberos._udp SRV 0 100 88 ipa01
_kpasswd._tcp SRV 0 100 464 ipa01
_kpasswd._udp SRV 0 100 464 ipa01
_ldap._tcp SRV 0 100 389 ipa01
_ntp._udp SRV 0 100 123 ipa01

Those are all the SRV records...

My sssd.conf looks like:

[domain/example.com]

cache_credentials = True
krb5_store_password_if_offline = True
krb5_realm = EXAMPLE.COM
ipa_domain = example.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
chpass_provider = ipa
ipa_dyndns_update = True
ipa_server = _srv_, ipa01.example.com
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, pam, ssh
config_file_version = 2

domains = example.com
[nss]

[pam]

[sudo]

[autofs]

[ssh]


This has been upgraded over time a bit and so on ... you might want to try
out libsss_sudo rather than ldap based sudo in EL6.4 for example (add sudo
to services and sss to nsswitch in a sudoers: files sss line for example).

Hope that helps out a bit!

I saw you post on freeipa-users ... they are a good bunch there and will
hopefully sort any remaining issues you have.