On Thu, Nov 20, 2014 at 06:09:42PM +0100, Joschi Brauchle wrote:
Hello,
We have a linux machine with a hostname that is longer than 19 characters. AFAIK the SamAccountName attribute in AD is limited to at most 20 characters (inkl. trailing $). I.e. the usable characters is at most 19.
In many AD docs it is stated that a Windows hostname should not exceed 15 characters for backward compatibility, but we do not really care about that.
Could you comment on how does SSSD pick the principal / username name to use for kerberos / ldap authentication / reading the keytab / and so on in the case of the hostname being longer than 19 characters?
I could not find anything in the docs of sssd-ad about this.
Will it use
- UNRESTRICTED_VERY_LONG_HOSTNAME$
This one. In general, SSSD matches principals in this order: hostname@REALM SHORT_HOSTNAME$@REALM host/hostname@REALM *$@REALM host/*@REALM host/*@*
If none of the above match, we pick the first principal. The asterisk acts a wildcard.
- 19_CHARACTERS_HOSTNAME$
- 15_CHAR_HOSTNAME$
?
Thanks for clarifying. It will help us deciding on how to proceed with hosts with long host names.
The safest approach is to manually set ldap_sasl_authid to the right principal.