So here are the three logfiles as a gzipped tar-ball.
I did some cleanup for data protection purposes:
1. Where the certificate used was listed as a base64-encoded string I replaced it with ...
and some trailing bytes of the string.2. I replaced the real realm and domain used with
the word "realm" where the realm appeared in lowercase and "REALM"
where the realm appeared in upper case. In sssd.conf the domain and the realm are the same
and given in upper case.
The subject name of the certificate used for the tests was "CN=bernd,
UID=<number>". Obviously one can't deduce the domain or realm of the user
from the subject given in the certificate. The ldap-entry of the user does not contain the
domain or the kerberos principal name either, the principal name is found as a subject alt
name extension in the certificate only (which is included in the ldap-entry of the user).
I have probably have to change something here, may it be including the kerberos principal
name in the ldap entry of the user or in the subject name of the certificate or some
totally different kind of magic.
Thank you in advance for any help here.
Tallinn
Show replies by date