It looks like my problems with AD trust on server side went away when I upgraded to
FreeIPA 4.5 using Centos 7.4 packages, but unfortunately this is only half of the way.
I have alot of SLES servers 11 and 12, but it looks like SSSD that comes with SLES is not
fully featured as RHEL or Centos. Basic authentication is working , but policies are not
working because group membership is not available on SLES SSSD client (when checking with
id command). Even on SLES 12 SP1 I cannot get it to work.
In krb5_child.log I see error:
[validate_tgt] (0x0040): sss_extract_and_send_pac failed, group membership for user with
principal [******] might not be correct.
When I try to enable PAC service starting of SSSD fails and I get:
[service_startup_handler] (0x0010): Could not exec /usr/lib/sssd/sssd_pac
--debug-to-files, reason: No such file or directory
I installed all packages related to SSSD and all dependencies.
Is PAC service necessary for group resolution? Is there any other option?