> > > My bad. I probably did a second ipa-clien-install without the proper > --unistall before. > > > I've messed up clients like that before ... Okay looking at my servers.... DNS records: _kerberos TXT REALMNAME (eg EXAMPLE.COM) _kerberos-master._tcp SRV 0 100 88 ipa01 _kerberos-master._udp SRV 0 100 88 ipa01 _kerberos._tcp SRV 0 100 88 ipa01 _kerberos._udp SRV 0 100 88 ipa01 _kpasswd._tcp SRV 0 100 464 ipa01 _kpasswd._udp SRV 0 100 464 ipa01 _ldap._tcp SRV 0 100 389 ipa01 _ntp._udp SRV 0 100 123 ipa01 Those are all the SRV records... My sssd.conf looks like: [domain/example.com] cache_credentials = True krb5_store_password_if_offline = True krb5_realm = EXAMPLE.COM ipa_domain = example.com id_provider = ipa auth_provider = ipa access_provider = ipa chpass_provider = ipa ipa_dyndns_update = True ipa_server = _srv_, ipa01.example.com ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, pam, ssh config_file_version = 2 domains = example.com [nss] [pam] [sudo] [autofs] [ssh] This has been upgraded over time a bit and so on ... you might want to try out libsss_sudo rather than ldap based sudo in EL6.4 for example (add sudo to services and sss to nsswitch in a sudoers: files sss line for example). Hope that helps out a bit! I saw you post on freeipa-users ... they are a good bunch there and will hopefully sort any remaining issues you have.