[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = EXAMPLE.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
# Define only if DNS lookups are not working
# example.com = {
# kdc = DC01
# admin_server = DC01.example.com
# }
# EXAMPLE.COM = {
# kdc = DC01.example.com
# kdc = DC02.example.com
# kdc = DC03.example.com
# kdc = DC04.example.com
# }
[domain_realm]
# Define only if DNS lookups are not working
# .brain.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
#removed commented lines
[global]
security = ads
passdb backend = tdbsam
realm = EXAMPLE.COM
password server = dc01.example.com dc02.example.com
kerberos method = secrets and keytab
client signing = yes
client use spnego = yes
load printers = yes
cups options = raw
[homes]
comment = Home Directories
browseable = no
writable = yes
[printers]
comment = All Printers
path = /var/spool/samba
browseable = no
guest ok = no
writable = no
printable = yes
[sssd]
domains = example.com
config_file_version = 2
services = nss, pam, pac, sudo, autofs
debug_level = 6
[nss]
debug_level = 3
[pam]
debug_level = 3
[sudo]
debug_level = 3
[autofs]
debug_level = 3
[domain/example.com]
debug_level = 6
ad_domain = example.com
ad_hostname = hostname.example.com
krb5_realm = EXAMPLE.COM
cache_credentials = True
id_provider = ad
auth_provider = krb5
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = False
use_fully_qualified_names = False
fallback_homedir = /home/users/%u
access_provider = ad
# LDAP settings
ldap_schema = rfc2307bis
# Unless you know you need referrals, turn them off
ldap_referrals = false
# Uncomment if you need offline logins
# cache_credentials = true
enumerate = false
ldap_sasl_mech = GSSAPI
ldap_user_search_base = ou=Brain2HQ,dc=brain2,dc=com
ldap_user_object_class = user
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_group_search_base = ou=Groups,dc=brain2,dc=com
ldap_group_object_class = group
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
# sudo settings
sudo_provider = ldap
ldap_sudo_search_base = ou=sudoers,dc=brain2,dc=com
# autofs settings
autofs_provider = ldap
ldap_autofs_search_base=ou=automount,dc=brain2,dc=com
ldap_autofs_map_object_class=nisMap
ldap_autofs_entry_object_class=nisObject
ldap_autofs_map_name=nisMapName
ldap_autofs_entry_key=cn
ldap_autofs_entry_value=nisMapEntry
# shell settings
allowed_shells = /bin/sh,/bin/bash,/bin/zsh,/bin/fish,/bin/ksh,
vetoed_shells = /bin/csh,/bin/tcsh
shell_fallback = /bin/bash
# kerberos settings
# Probably required with sssd 1.8.x and newer
krb5_canonicalize = false
krb5_renewable_lifetime = 1d
krb5_renew_interval = 60s
krb5_lifetime = 1h #normally set by KDC
[root@hostname ~] klist -f /var/lib/sss/db/ccache_example.com
Ticket cache: FILE:/var/lib/sss/db/ccache_example.com
Default principal: hostname$@example.com
Valid starting Expires Service principal
11/30/15 13:16:40 11/30/15 23:16:44 krbtgt/example.com@example.com
renew until 12/07/15 13:16:40, Flags: RIA
11/30/15 13:16:44 11/30/15 23:16:44 ldap/dc02.example.com@
renew until 12/07/15 13:16:40, Flags: RAO
11/30/15 13:16:44 11/30/15 23:16:44 ldap/dc02.example.com@example.com
renew until 12/07/15 13:16:40, Flags: RAO
11/30/15 13:16:44 11/30/15 23:16:44 DNS/dc01.example.com@example.com
renew until 12/07/15 13:16:40, Flags: RAO
[root@hostname ~] grep renew /var/log/sssd/sssd_example.com.log
(Mon Nov 30 08:28:49 2015) [sssd[be[example.com]]] [renew_handler] (0x0100): Offline, disable renew timer.
(Mon Nov 30 09:55:42 2015) [sssd[be[example.com]]] [renew_tgt_done] (0x0100): Successfully renewed TGT for user [John Doe].
(Mon Nov 30 10:26:42 2015) [sssd[be[example.com]]] [renew_tgt_done] (0x0100): Successfully renewed TGT for user [John Doe].
(Mon Nov 30 11:36:44 2015) [sssd[be[example.com]]] [renew_tgt_done] (0x0020): krb5_auth request failed.
(Mon Nov 30 11:36:44 2015) [sssd[be[example.com]]] [renew_tgt_done] (0x0200): Giving back pam data.
(Mon Nov 30 11:36:44 2015) [sssd[be[example.com]]] [renew_tgt_done] (0x0020): krb5_auth request failed.
(Mon Nov 30 11:36:44 2015) [sssd[be[example.com]]] [renew_tgt_done] (0x0200): Giving back pam data.
(Mon Nov 30 11:38:07 2015) [sssd[be[example.com]]] [renew_tgt_done] (0x0020): krb5_auth request failed.
(Mon Nov 30 11:38:07 2015) [sssd[be[example.com]]] [renew_tgt_done] (0x0200): Giving back pam data.
(Mon Nov 30 11:38:13 2015) [sssd[be[example.com]]] [renew_tgt_done] (0x0020): krb5_auth request failed.
(Mon Nov 30 11:38:13 2015) [sssd[be[example.com]]] [renew_tgt_done] (0x0200): Giving back pam data.
(Mon Nov 30 11:47:35 2015) [sssd[be[example.com]]] [renew_tgt_done] (0x0020): Failed to renew TGT for user [John Doe].
(Mon Nov 30 11:47:35 2015) [sssd[be[example.com]]] [renew_tgt_done] (0x0020): Failed to renew TGT for user [Lucy Doe].
(Mon Nov 30 14:16:07 2015) [sssd[be[example.com]]] [renew_handler] (0x0100): Offline, disable renew timer.
(Mon Nov 30 17:19:34 2015) [sssd[be[example.com]]] [renew_handler] (0x0100): Offline, disable renew timer.
(Mon Nov 30 18:20:26 2015) [sssd[be[example.com]]] [renew_handler] (0x0100): Offline, disable renew timer.
(Mon Nov 30 18:21:36 2015) [sssd[be[example.com]]] [renew_handler] (0x0100): Offline, disable renew timer.
(Mon Nov 30 19:11:06 2015) [sssd[be[example.com]]] [renew_handler] (0x0100): Offline, disable renew timer.
(Mon Nov 30 19:26:31 2015) [sssd[be[example.com]]] [renew_handler] (0x0100): Offline, disable renew timer.
(Mon Nov 30 23:30:05 2015) [sssd[be[example.com]]] [renew_handler] (0x0100): Offline, disable renew timer.
(Tue Dec 1 00:16:56 2015) [sssd[be[example.com]]] [renew_handler] (0x0100): Offline, disable renew timer.
(Tue Dec 1 01:18:39 2015) [sssd[be[example.com]]] [renew_handler] (0x0100): Offline, disable renew timer.
(Tue Dec 1 01:32:16 2015) [sssd[be[example.com]]] [renew_handler] (0x0100): Offline, disable renew timer.
(Tue Dec 1 03:22:02 2015) [sssd[be[example.com]]] [renew_handler] (0x0100): Offline, disable renew timer.
(Tue Dec 1 04:34:30 2015) [sssd[be[example.com]]] [renew_handler] (0x0100): Offline, disable renew timer.
(Tue Dec 1 06:27:39 2015) [sssd[be[example.com]]] [renew_handler] (0x0100): Offline, disable renew timer.
(Tue Dec 1 06:38:20 2015) [sssd[be[example.com]]] [renew_handler] (0x0100): Offline, disable renew timer.
(Tue Dec 1 07:34:20 2015) [sssd[be[example.com]]] [renew_handler] (0x0100): Offline, disable renew timer.
(Tue Dec 1 07:56:02 2015) [sssd[be[example.com]]] [renew_handler] (0x0100): Offline, disable renew timer.
(Tue Dec 1 08:33:09 2015) [sssd[be[example.com]]] [renew_handler] (0x0100): Offline, disable renew timer.
(Tue Dec 1 10:40:41 2015) [sssd[be[example.com]]] [renew_handler] (0x0100): Offline, disable renew timer.