Hello,
I've successfully setup'ed sssd on our systems to connect to our
Microsoft AD with ldap
authentication, now i want to use kerberos instead, and have I of course
ran into some problems :)
To start with, I'm not to familiar with kerberos so go easy on me here.
I've successfully created a machineaccount in AD (with msktutil, also
got it working with samba/net join)
and obtained a kerberos keytab. A user can obtain a ticket by running
'kinit foouser', thereafter he/she
can run for example 'ldapsearch -b 'ou=xx,dc=xx,dc=xx,dc=xx' -Omaxssf=0
"(&(objectclass=user)(cn=xx))" uid'
successfully.
Here's to my question, (maybe this rather should be in a kerberos
mailinglist, or maybe i should read a book however it's easiest to ask
here :))
Is the keytab used by sssd to authenticate to the kdc, is this even how
it works ? Since the sssd is runned by root and root has no ticket,
i figured it would work that way, but maybe I'm mistaken, maybe it's
suppose to work in some other way ?
Here's the krb5 part of the sssd.conf
auth_provider = krb5
krb5_kdcip = 123.123.123.123
krb5_realm = foo
krb5_changepw_principle = kadmin/changepw
krb5_ccachedir = /tmp
krb5_ccname_template = FILE:%d/krb5cc_%U_XXXXXX
krb5_auth_timeout = 15
krb5_keytab = /etc/krb5.keytab
When i start sssd with -d10 i cant really see much messages about the
kerberos authentication whether it fails or not, however i can see
'Search result: Operations error(1), 00000000: LdapErr: DSID-0C090627,
comment: In order to perform this operation a successful bind must be
completed on the connection., data 0, vece'
which suggest that i cannot bind to ldap, right ?
Any suggestions where to go from here, ?
Best regards,
Patrik Martinsson, Sweden.