On Wed, Jan 29, 2014 at 05:28:10PM +0000, Nordgren, Bryce L -FS wrote:
> -----Original Message-----
> On Tue, Jan 28, 2014 at 11:07:03PM +0000, Nordgren, Bryce L -FS wrote:
> I think the most important log would be the one from the back end,
> generated by including debug_level in the [domain] section.
Ok. Will try it.
> Any reason why you set the principal to cn and not userPrincipalName ?
My userPrincipalName is set to <lotsanumbers>(a)FEDIDCARD.GOV whereas my Kerberos
principal is bnordgren(a)DS.FS.FED.US. I suspect this has something to do with two factor
authentication.
In case DS.FS.FED.US is the correct Kerberos realm, then I'd suggest to
set the principal to an attribute that doesn't exist. Then the SSSD will
try to 'guess' the principal as $username@$realm