The SSSD puts the domain-realm mappings discovered for sub domains into /var/lib/sss/pubconf/krb5.include.d/. ipa-client-install must make sure that the directory is included. Upgrades could be handled in %post until there is a proper ipa-client-upgrade
/var/lib/sss/pubconf/krb5.include.d/
Jakub is currently working on this issue and has already provided a patch (waiting fir a revision after first review).
FreeIPA 3.0.0 GA has been released, moving the ticket to 3.0 bugfixing release.
This is blocked by a slew of SELinux errors on an IPA server when the include dir is set, https://bugzilla.redhat.com/show_bug.cgi?id=873429
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=883166
master:[[br]] e05a720[[br]] a35d4dc[[br]] b64dc93[[br]] daa22d4[[br]]
ipa-3-0:[[br]] 30b0353[[br]] d2f1a6c[[br]] 99cdc88[[br]] c0130a1[[br]]
Additional fix for ipa-replica-conncheck and ipa-adtrust-install:
master: d73dd4b[[BR]] ipa-3-1: 6d38cc5
Additional fix for krb5.conf template:
master: e2120c3[[BR]] ipa-3-1: f15ff7e[[BR]] ipa-3-0: b58ee91
Metadata Update from @jhrozek: - Issue assigned to jhrozek - Issue set to the milestone: FreeIPA 3.0.2
Login to comment on this ticket.