On Thu, Jul 27, 2017 at 02:15:33AM +0000, Michael Papet via FreeIPA-users wrote:
>If the _srv_ is enabled then am i correct in assuming that we
wouldn't even
>need kdc= records in krb5.conf ??>I tried removing kdc= linesand was unable to
authenticate.
In my experience, sssd relies upon the local kerberos stack. Maybe others have different
experiences.
mpapet
This really depends on what domain the user is authenticating from.
If the user comes from the joined domain, then currently sssd resolves
the KDC on its own and puts the address of the KDC server into the list
of KDC addresses known by libkrb5 via a locator plugin:
https://jhrozek.wordpress.com/2014/11/04/how-does-sssd-interact-with-tool...
But for users from trusted domains (typically when talking about IPA-AD
trusts), this is currently not done and sssd just calls a kinit
equivalent and pretty much relies on what is already configured in
krb5.conf.