On Wed, Aug 13, 2014 at 12:03:55PM -0500, Daniel Shown wrote:
I'm having trouble authenticating to an AD domain with a
disjointed
namespace using SSSD. Here's what I'm up against:
netbios domain name: BLAH
domain (& kerberos realm):
DS.BLAH.COM
UPNs: username(a)BLAH.COM
to join to the domain I have to have workgroup: BLAH in smb.conf, which is
not generally how smb and winbind are config'ed (usually it would be DS
instead of BLAH).
I can create a kerberos ticket for user(a)DS.BLAH.COM.
I can do an "id user(a)ds.blah.com" and get valid response.
but when I try to "su user(a)ds.blah.com" I get an invalid password, and a
log entry indicating "[sssd[krb5_child[29198]]]: Cannot resolve servers for
KDC in realm "BLAH.COM"". I'm assuming that it's looking for the
KDC there
because of the setting in smb.conf.
I'm running SSSD 1.9.2 on CentOS 6.5.
With sssd-1.11 which is coming to 6.6, this would work out of the box.
In 1.9, you can use a workaround.
Can you try setting:
ldap_user_principal = nosuchattribute # yes, literally
Normally, sssd uses the UPN attribute of the user. But if you override
the LDAP UPN attribute to something that doesn't exist, SSSD would
try to 'guess' the UPN with username@REALM.
I hope this helps.
I've tried various settings googling around, and so my current sssd.conf
file looks like:
[sssd]
services = nss, pam, ssh, pac
^^^
Do you really use the SSH integration, that is, do you have the
knownhosts set in sshd_conf? If not, you can remove the ssh responder.
config_file_version = 2
domains =
ds.blah.com
debug_level = 10
[nss]
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[
domain/ds.blah.com]
cache_credentials = False
krb5_store_password_if_offline = False
The two above are defaults, you can safely remove them.
id_provider = ad
auth_provider = ad
access_provider = ad
ad_server =
dc1.ds.blah.com
ad_hostname =
host.ds.blah.com
krb5_realm =
DS.BLAH.COM
ad_domain =
ds.blah.com
ad_enable_dns_sites = True
krb5_canonicalize = false
debug_level = 5
Any suggestions would be greatly appreciated.