[SSSD-users] Adding service to sssd + AD

I have following configuaration: [sssd] config_file_version = 2 domains = domain.com services = nss, pam [nss] [pam] [domain/domain.com] cache_credentials = true id_provider = ad auth_provider = ad access_provider = simple default_shell = /bin/zsh fallback_homedir = /home/%d/%u use_fully_qualified_names = true ldap_id_mapping = true ldap_schema = ad ldap_idmap_range_min = 100000 ldap_idmap_range_max = 2000100000 ldap_idmap_range_size = 200000000 ldap_idmap_default_domain = DOMAIN.COM ignore_group_members = true Ticket cache: FILE:/tmp/krb5cc_400389252_3sT5UifBXn Default principal: username(a)DOMAIN.COM Valid starting Expires Service principal 07/20/2016 12:18:01 07/20/2016 21:14:13 krbtgt/DOMAIN.COM(a)DOMAIN.COM renew until 07/27/2016 11:14:13 I got kerberos working and login through gssapi to ssh: Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 2 host/hostname.domain.com(a)DOMAIN.COM 2 host/hostname.domain.com(a)DOMAIN.COM 2 host/hostname.domain.com(a)DOMAIN.COM 2 host/hostname.domain.com(a)DOMAIN.COM 2 host/hostname.domain.com(a)DOMAIN.COM 2 host/hostname(a)DOMAIN.COM 2 host/hostname(a)DOMAIN.COM 2 host/hostname(a)DOMAIN.COM 2 host/hostname(a)DOMAIN.COM 2 host/hostname(a)DOMAIN.COM 2 HOSTNAME$(a)DOMAIN.COM 2 HOSTNAME$(a)DOMAIN.COM 2 HOSTNAME$(a)DOMAIN.COM 2 HOSTNAME$(a)DOMAIN.COM 2 HOSTNAME$(a)DOMAIN.COM However I cannot get OpenAFS to work. I suspect it is that I don't have afs/hostname(a)DOMAIN.COM principal. How should I add service to keytab (I don't have admin rights on KDC) with SSD + AD? Maciej