Hello,
I'm trying to convert an existing nslcd/pam_krb5 based setup authenticationg
against Active Direcctory to sssd/pam_sss.
I already succeeded in doing so as far as the nss-side of things is
concerned.
Not so with pam_sss.so (pam_krb5.so works fine) because of the following
reason:
When constructing a realm for authentication sssd seems to check for the
ldap attribute specified as ldap_user_principal in sssd.conf. Later on a
kerberos ticket is requested for the string found there.
What I have in sssd.conf is the following (as found in various howtos
araount the web):
ldap_user_principal = userPrincipalName
And this is why I get in trouble!
In my case userPrincipalName does contain an email address (user@dn) with a
domain part _different_ to the kerberos realm.
Thus I end up having sssd trying to request a kerberos ticket for user@DN
which will of course not work, because "DN" is not a valid kerberos realm.
I tried to reproduce this using kinit with varions Versions of this ldap
atrribute.
Neither one of the following works:
kinit user@dn
kinit user@DN
kinit user@dn@REALM
Only "user@REALM" and "user" work.
Thus I changed ldap_user_principal ins sssd.conf to the following:
ldap_user_principal = sAMAccountName
This does seem to work now, but I would rather like to switch back to
userPrincipalName again.
On windows it is possible to login either way: Using user@dn from
userPrincipalName as well as the value from sAMAccountName.
Any Idea
Sven
--
"I'm a bastard, and proud of it"
(Linus Torvalds, Wednesday Sep 6, 2000)
/me is giggls@ircnet,
http://sven.gegg.us/ on the Web