I did some testing of sssd-13.2 version in Ubuntu-16.04 (ldap_idmapping = false)
Login with fqdn in cross realm and Kerberos NFS automount seems to work almost out-of-the-box.
This is great.
I have still some questions:
In my setup, I have configured only for one domain – the domain where I join machine.
SRV discovery can figure out all domains and figure out AD structure;
Is it still necessary make an explicit list of all domains in the ‘domains’ statement?
domains = a.c.realm, n.c.realm, s.c.realm, c.realm …
I tried login with setup for UPN/sAMAccountName login– without success.
Is login with cross realm’s UPN or short sAMAccoutName supported in this sssd version?
In database for default domain cache_a.c.realm.db user object has following names (for ‘use_fully_qualified_names = true’ setup):
dn: name = firstname.lastname@example.org …
the option :
krb5_confd_path = /var/lib/sss/pubconf/krb5.conf.d
-does not create that directory (I understand from the doc that sssd should take care about it);
However after manually creating this directory I can see many fails in log:
[sssd[be[a.c.realm]]] [sss_write_domain_mappings] (0x0200): Mapping file for domain [a.c.realm] is [/var/lib/sss/pubconf/krb5.include.d/domain_realm_a_c_realm]
[sssd[be[a.c.realm]]] [sss_write_domain_mappings] (0x0040): creating the temp file [/var/lib/sss/pubconf/krb5.include.d/domain_realm_a_c_realmU4PYcJ] for domain-realm mappings failed.
[sssd[be[a.c.realm]]] [sss_write_domain_mappings] (0x0080): Could not remove file [/var/lib/sss/pubconf/krb5.include.d/domain_realm_a_c_realmU4P<B0>]: : No such file or directory
drwxr-xr-x 2 root root 4096 Dec 16 16:08 /var/lib/sss/pubconf/krb5.conf.d/
Default value for option ‘krb5_canonicalize’ is FALSE;
I set ‘canonicalize’ to ‘true’ in krb5.conf – is it enough? I understand from docs localauth plugin needs it.
Can I somehow (I do not think about log with high debug level) see all configured and default options for SSSD?