Thanks I will take a look at the link.
The krb5.conf file looks as follows includedir /etc/krb5.conf.d/ includedir /var/lib/sss/pubconf/krb5.include.d/
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] default_realm = IPA.AD1.COM dns_lookup_realm = false dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = true udp_preference_limit = 0 default_ccache_name = KEYRING:persistent:%{uid}
[realms] IPA.AD1.COM = { kdc = ipa-3.ipa.ad1.com:88 master_kdc = ipa-3.ipa.ad1.com:88 kpasswd_server = ipa-3.ipa.ad1.com:464 admin_server = ipa-3.ipa.ad1.com:749 default_domain = ipa.ad1.com pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem }
[domain_realm] .ipa.ad1.com = IPA.AD1.COM ipa.ad1.com = IPA.AD1.COM ipa-3.ipa.ad1.com = IPA.AD1.COM
[dbmodules] IPA.AD1.COM = { db_library = ipadb.so }
[plugins] certauth = { module = ipakdb:kdb/ipadb.so enable_only = ipakdb }
Under the /var/lib/sss/pubconf/krb5.include.d/ directory the files and contents are as follows :::::::::::::: /var/lib/sss/pubconf/krb5.include.d/domain_realm_auth_ssdis_loc :::::::::::::: [domain_realm] .ssdis.loc = SSDIS.LOC ssdis.loc = SSDIS.LOC .ROOT.TES = ROOT.TES ROOT.TES = ROOT.TES .INTERNAL.ROOT.TES = INTERNAL.ROOT.TES INTERNAL.ROOT.TES = INTERNAL.ROOT.TES [capaths] SSDIS.LOC = { AUTH.SSDIS.LOC = SSDIS.LOC } ROOT.TES = { AUTH.SSDIS.LOC = ROOT.TES } INTERNAL.ROOT.TES = { AUTH.SSDIS.LOC = ROOT.TES } AUTH.SSDIS.LOC = { SSDIS.LOC = SSDIS.LOC ROOT.TES = ROOT.TES INTERNAL.ROOT.TES = ROOT.TES } :::::::::::::: /var/lib/sss/pubconf/krb5.include.d/krb5_libdefaults :::::::::::::: [libdefaults] canonicalize = true :::::::::::::: /var/lib/sss/pubconf/krb5.include.d/localauth_plugin :::::::::::::: [plugins] localauth = { module = sssd:/usr/lib64/sssd/modules/sssd_krb5_localauth_plugin.so }
I am still looking into my problem, a reboot of an IPA server seems to allow authentication and AD group authorisation to work for a period of time and then it stops. Authentication will continue to work if the user is cached in the SSSD cache, but trying to use sudo fails as it can no longer get the membership details.