Hide Forgot
Description of problem: It is a recommended way to don't use the default Administrator names. So I have changed this user. If I join a new computer to the IdM domain I specify this new name as "User authorized to enroll computers" and its password. The join works but always with an error message: "Unable to reliably detect configuration. Check NSS setup manually." and it will also call hardcode_ldap_server() which is not necessary because the test is wrong. So please use in /sbin/ipa-client-install line 2991 principal instead "admin@%s" if principal is set or find another way to test without hardcoded user names. Version-Release number of selected component (if applicable): ipa-client-4.2.0-15.el7_2.17.x86_64
Agreed, if a principal is provided for binding then that user should be used in the getent call. This is just a sanity check to ensure that sssd is up and running and can identify users. The admin user is the only one created by IPA by default which is why it is currently hardcoded. In any case this isn't considered a hard failure which is why the installation continues.
Upstream: https://fedorahosted.org/freeipa/ticket/5406 Existing bz: bug 1274488 This may be fixed upstream in 4.5 development but no guarantees. *** This bug has been marked as a duplicate of bug 1274488 ***