We have multiple linux servers configured with SSSD/realmd for authentication to Active
Directory. The systems are configured without winbind so using Kerberos to authenticate to
the domain. Once SMBv1 was disabled on the domain controller none of the machines could
authenticate users. Any idea on why this would happen when we should be configured for
kerberos authentication?
**** /etc/sssd/sssd.conf ****
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
shell_fallback = /bin/bash
fallback_homedir = /home/%u
[pam]
reconnection_retries = 3
[sssd]
domains = internal.example.domain
config_file_version = 2
services = nss, pam, ifp
[domain/internal.example.domain]
id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad
dyndns_update = False
ad_domain = internal.example.domain
krb5_realm = INTERNAL.EXAMPLE.DOMAIN
realmd_tags = manages-system joined-with-adcli
cache_credentials = False
krb5_store_password_if_offline = False
ldap_id_mapping = True
use_fully_qualified_names = False
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell
entry_cache_timeout = 0
ad_enable_gc = False
**** /etc/krb5.conf ****
[libdefaults]
default_realm = INTERNAL.EXAMPLE.DOMAIN
**** realm list ****
% sudo realm list
internal.example.domain
type: kerberos
realm-name: INTERNAL.EXAMPLE.DOMAIN
domain-name: internal.example.domain
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
login-formats: %U
login-policy: allow-realm-logins
--
Brenden
Show replies by date