I would guess AD is saying use TLS. LDAP will say success, cause the
query was successful.
The result was probably access denied, which is not an error, it's just not what you
expected
for a result, but the result was a success.
Ahh, but I snooped it with wireshark and saw the ldap response with 1 result and all the
attributes AD could supply.
On my setups, I put all the krb5 configuration in krb5.conf. I setup
ldap.conf.
Krb5.conf is configured and kinit bnordgren works. However, my current sssd test config is
ldap for authentication as well as ldap for id. Kerberos should be a nonissue. I'll
introduce it later, after things are working with LDAP. If I understand correctly,
Kerberos shouldn't be involved in a "getent passwd bnordgren" call anyway.
Thanks to the SSSD guessing the realm, you can set your
ldap_user_principal
to the following, and it will append the @realm.
ldap_user_principal = sAMAccountName
"cn" has been working for me in other places where I authenticate off of AD
(mainly webapps like Redmine, Drupal, etc.) It's the RDN of the LDAP entry. Plus, for
the webapps (not here) I have a metadirectory in front of AD's LDAP in order to merge
in a pool of "external users" accounts. They are all "inetOrgPerson"
objects who have a "cn" but do not have a "sAMAccountName". In this
context I suppose it could go either way, since I can define domains independently.
Also, IMO, ignore the suggestions in that link, use the AD provider.
Ditch the bind account.
I'm stingy with my domain joins. I'm just a user in that domain, so I've got
ten (I hope: could be I have none; haven't tested it yet). Plan is to join a machine
running ipa, then join my hosts to that.
Bryce
This electronic message contains information generated by the USDA solely for the intended
recipients. Any unauthorized interception of this message or the use or disclosure of the
information it contains may violate the law and subject the violator to civil or criminal
penalties. If you believe you have received this message in error, please notify the
sender and delete the email immediately.