Hello everyone,
I made a configuration where I use Active Directory Kerberos as authentication source,
but OpenDJ LDAP (Forgerock) as id_provider, sudo_provider etc....
I configured everything using the excellent tool msktutil, so no Samba or ktpass.exe involved....
Basically, this is my sssd.conf:
[domain/DOMAIN]
ldap_id_use_start_tls = True
ldap_schema = rfc2307bis
ldap_search_base = dc=xyz
id_provider = ldap
access_provider = ldap
ldap_access_filter = isMemberOf=zyx
auth_provider = krb5
chpass_provider = krb5
ldap_uri = ldap://xyz
cache_credentials = true
sudo_provider = ldap
ldap_sudo_search_base = ou=xyz
ldap_netgroup_search_base = ou=xyz
ldap_group_name = uniqueMember
entry_cache_netgroup_timeout = 300
entry_cache_sudo_timeout = 300
ldap_sasl_mech = GSSAPI
ldap_force_upper_case_realm = True
ldap_krb5_keytab = /etc/krb5.keytab
krb5_keytab = /etc/krb5.keytab
krb5_realm =
MSNET.RAILB.BEkrb5_ccachedir = /tmp
krb5_validate = True
krb5_auth_timeout = 15
ldap_sasl_authid = HOSTNAME$@
MSNET.RAILB.BEldap_krb5_init_creds = true
debug_level = 5
I only have one problem: I have to create a "uid=HOSTNAME$" entry in my LDAP servers, which is now objectClass account....