[SSSD-users] localauth plugin and some other questions

Hi, I did some testing of sssd-13.2 version in Ubuntu-16.04 (ldap_idmapping = false) Login with fqdn in cross realm and Kerberos NFS automount seems to work almost out-of-the-box. This is great. I have still some questions: In my setup, I have configured only for one domain - the domain where I join machine. SRV discovery can figure out all domains and figure out AD structure; 1. Is it still necessary make an explicit list of all domains in the 'domains' statement? [sssd] .. domains = a.c.realm, n.c.realm, s.c.realm, c.realm ... 2. I tried login with setup for UPN/sAMAccountName login- without success. Is login with cross realm's UPN or short sAMAccoutName supported in this sssd version? In database for default domain cache_a.c.realm.db user object has following names (for 'use_fully_qualified_names = true' setup): dn: name = user1(a)n.c.realm ... name: user1(a)n.c.realm nameAlias. user1(a)n.c.realm UserPrincipalName: user1@REALM canonicalUserPrincipalName: user1(a)N.C.REALM 3. Localauth plugin: the option : krb5_confd_path = /var/lib/sss/pubconf/krb5.conf.d -does not create that directory (I understand from the doc that sssd should take care about it); However after manually creating this directory I can see many fails in log: [sssd[be[a.c.realm]]] [sss_write_domain_mappings] (0x0200): Mapping file for domain [a.c.realm] is [/var/lib/sss/pubconf/krb5.include.d/domain_realm_a_c_realm] [sssd[be[a.c.realm]]] [sss_write_domain_mappings] (0x0040): creating the temp file [/var/lib/sss/pubconf/krb5.include.d/domain_realm_a_c_realmU4PYcJ] for domain-realm mappings failed. [sssd[be[a.c.realm]]] [sss_write_domain_mappings] (0x0080): Could not remove file [/var/lib/sss/pubconf/krb5.include.d/domain_realm_a_c_realmU4P<B0>]: [2]: No such file or directory .... ls -ld drwxr-xr-x 2 root root 4096 Dec 16 16:08 /var/lib/sss/pubconf/krb5.conf.d/ Default value for option 'krb5_canonicalize' is FALSE; I set 'canonicalize' to 'true' in krb5.conf - is it enough? I understand from docs localauth plugin needs it. 4. ldbsearch Can I somehow (I do not think about log with high debug level) see all configured and default options for SSSD? Best, Longina