On Wed, Apr 23, 2014 at 03:33:44PM +1000, Jacob Taylor wrote:
Hi guys,
I'm in a pickle:
I'm trying to configure a domain in SSSD to both perform all the usual AD
authentication wizardry, and at the same time perform LDAP Sudo lookup in
the directory too. The AD schema has been extended.
It seems it doesn't like both LDAP and AD directives in the same domain,
but doesn't Sudo require LDAP and not AD? I know that's how it works for
IPA.
Has anyone gotten this working? I'm scratching my head. It works without
the sudo bit.
Does it work if you drop the enumerate=true line? We've had a bug
recently, where, if you configured two provider types (like ldap and ad
in your case) the enumeration tasks would clash:
https://fedorahosted.org/sssd/ticket/2153
If it still doesn't work, can you enable debug_level in the sudo and
domain sections to see if the logs shed any light?
The client$ principal is usually the right one, btw. host/client.fqdn is
often not allowed to acquire a TGT (it's a service account only).
And finally, the recent versions of sssd include a sudo_provider=ad to
cover exactly this use-case:
https://fedorahosted.org/sssd/ticket/2256
I hope this helps.