On Thu, Dec 17, 2015 at 02:42:39PM +0000, Longina Przybyszewska wrote:
I did some testing of sssd-13.2 version in Ubuntu-16.04 (ldap_idmapping = false)
Login with fqdn in cross realm and Kerberos NFS automount seems to work almost
This is great.
I have still some questions:
In my setup, I have configured only for one domain - the domain where I join machine.
SRV discovery can figure out all domains and figure out AD structure;
Is it still necessary make an explicit list of all domains in the 'domains'
domains = a.c.realm, n.c.realm, s.c.realm, c.realm ...
no, only domains which are configured explicitly in the [domain/...]
sections must be listed here. For all other domains listed here you
should get 'Unknown domain' messages in the logs.
I tried login with setup for UPN/sAMAccountName login- without success.
Is login with cross realm's UPN or short sAMAccoutName supported in this sssd
In database for default domain cache_a.c.realm.db user object has following names (for
'use_fully_qualified_names = true' setup):
dn: name = user1(a)n.c.realm ...
The plain sAMAccoutName 'user1' will not work because
use_fully_qualified_names = true. What should work is 'DOM\user1' where
DOM is the NetBIOS domain name of n.c.realm domain. Additionally I
would expect that user1@REALM should work.
the option :
krb5_confd_path = /var/lib/sss/pubconf/krb5.conf.d
-does not create that directory (I understand from the doc that sssd should take care
no, SSSD expects the directory to be present, it should be create during
the package installation.
However after manually creating this directory I can see many fails
[sssd[be[a.c.realm]]] [sss_write_domain_mappings] (0x0200): Mapping file for domain
[a.c.realm] is [/var/lib/sss/pubconf/krb5.include.d/domain_realm_a_c_realm]
[sssd[be[a.c.realm]]] [sss_write_domain_mappings] (0x0040): creating the temp file
[/var/lib/sss/pubconf/krb5.include.d/domain_realm_a_c_realmU4PYcJ] for domain-realm
[sssd[be[a.c.realm]]] [sss_write_domain_mappings] (0x0080): Could not remove file
[/var/lib/sss/pubconf/krb5.include.d/domain_realm_a_c_realmU4P<B0>]: : No such
file or directory
drwxr-xr-x 2 root root 4096 Dec 16 16:08 /var/lib/sss/pubconf/krb5.conf.d/
It looks SSSD still tries the default location, did you put
krb5_confd_path in the right [domain/..] section?
Default value for option 'krb5_canonicalize' is FALSE;
I set 'canonicalize' to 'true' in krb5.conf - is it enough? I
understand from docs localauth plugin needs it.
The AD provider has krb5_use_enterprise_principal=true which implicitly
set krb5_canonicalize=true as well.
Can I somehow (I do not think about log with high debug level) see all configured and
default options for SSSD?
I'm afraid the answer is currently no.
sssd-users mailing list