I did some  testing of sssd-13.2 version in Ubuntu-16.04 (ldap_idmapping  = false)

Login with fqdn in cross realm and Kerberos NFS automount seems to work almost out-of-the-box.

This is great.

I have still some questions:



In my setup, I have configured only for one domain – the domain where I join machine.

SRV discovery can figure out all  domains and figure out AD structure;



Is it still necessary make an explicit  list of all domains in the ‘domains’ statement?




domains = a.c.realm, n.c.realm, s.c.realm, c.realm …



I tried login with setup for UPN/sAMAccountName login– without success.

Is login with cross realm’s UPN or short sAMAccoutName   supported in this sssd version?


In database for default domain  cache_a.c.realm.db user object has following names (for ‘use_fully_qualified_names = true’ setup):


dn: name = user1@n.c.realm …

name: user1@n.c.realm

nameAlias. user1@n.c.realm

UserPrincipalName: user1@REALM

canonicalUserPrincipalName: user1@N.C.REALM




Localauth plugin:

the option :

krb5_confd_path = /var/lib/sss/pubconf/krb5.conf.d


-does not  create that directory (I understand from the doc that sssd  should take care about it);

However after manually creating this directory I can see many fails in log:


[sssd[be[a.c.realm]]] [sss_write_domain_mappings] (0x0200): Mapping file for domain [a.c.realm] is [/var/lib/sss/pubconf/krb5.include.d/domain_realm_a_c_realm]

[sssd[be[a.c.realm]]] [sss_write_domain_mappings] (0x0040): creating the temp file [/var/lib/sss/pubconf/krb5.include.d/domain_realm_a_c_realmU4PYcJ] for domain-realm mappings failed.

[sssd[be[a.c.realm]]] [sss_write_domain_mappings] (0x0080): Could not remove file [/var/lib/sss/pubconf/krb5.include.d/domain_realm_a_c_realmU4P<B0>]: [2]: No such file or directory


ls -ld

drwxr-xr-x 2 root root 4096 Dec 16 16:08 /var/lib/sss/pubconf/krb5.conf.d/


Default value for option  ‘krb5_canonicalize’ is FALSE;

I  set ‘canonicalize’ to  ‘true’ in krb5.conf – is it enough? I understand from docs localauth plugin needs it.





Can I somehow  (I do not think about log with high debug level) see all configured and default  options for SSSD?