I have following configuaration:
[sssd]
config_file_version = 2
domains =
domain.com
services = nss, pam
[nss]
[pam]
[
domain/domain.com]
cache_credentials = true
id_provider = ad
auth_provider = ad
access_provider = simple
default_shell = /bin/zsh
fallback_homedir = /home/%d/%u
use_fully_qualified_names = true
ldap_id_mapping = true
ldap_schema = ad
ldap_idmap_range_min = 100000
ldap_idmap_range_max = 2000100000
ldap_idmap_range_size = 200000000
ldap_idmap_default_domain =
DOMAIN.COM
ignore_group_members = true
Ticket cache: FILE:/tmp/krb5cc_400389252_3sT5UifBXn
Default principal: username(a)DOMAIN.COM
Valid starting Expires Service principal
07/20/2016 12:18:01 07/20/2016 21:14:13 krbtgt/DOMAIN.COM(a)DOMAIN.COM
renew until 07/27/2016 11:14:13
I got kerberos working and login through gssapi to ssh:
Keytab name: FILE:/etc/krb5.keytab
KVNO Principal
---- --------------------------------------------------------------------------
2 host/hostname.domain.com(a)DOMAIN.COM
2 host/hostname.domain.com(a)DOMAIN.COM
2 host/hostname.domain.com(a)DOMAIN.COM
2 host/hostname.domain.com(a)DOMAIN.COM
2 host/hostname.domain.com(a)DOMAIN.COM
2 host/hostname(a)DOMAIN.COM
2 host/hostname(a)DOMAIN.COM
2 host/hostname(a)DOMAIN.COM
2 host/hostname(a)DOMAIN.COM
2 host/hostname(a)DOMAIN.COM
2 HOSTNAME$(a)DOMAIN.COM
2 HOSTNAME$(a)DOMAIN.COM
2 HOSTNAME$(a)DOMAIN.COM
2 HOSTNAME$(a)DOMAIN.COM
2 HOSTNAME$(a)DOMAIN.COM
However I cannot get OpenAFS to work. I suspect it is that I don't have
afs/hostname(a)DOMAIN.COM principal. How should I add service to keytab
(I don't have admin rights on KDC) with SSD + AD?
Maciej