On Mon, May 02, 2011 at 09:56:18PM -0700, Ben Kevan wrote:
I'm wondering what the heck I'm doing wrong. I'm working on getting SSSD + KRB5 working against 2008 R2 AD. It's working fine in RHEL5 w/ the standard LDAP.conf configuration. I'm working on sssd, but am not getting a binddn connection to AD. Here's my config:
grep -vE '^#|^$' /etc/sssd/sssd.conf [sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam domains = default [nss] filter_groups = root filter_users = root reconnection_retries = 3 [pam] reconnection_retries = 3 [domain/default] description = LDAP domain with AD server enumerate = false id_provider = ldap chpass_provider = krb5 ldap_uri = ldap://usherdc103.domain.com ldap://usherdc104.domain.com ldap_search_base = DC=Domain,DC=com ldap_tls_cacertdir = /etc/openldap/cacerts ldap_default_bind_dn = ldapbinddn@DOMAIN.COM ldap_default_authtok_type = password ldap_default_authtok = YAYYOUGOTME ldap_pwd_policy = none ldap_user_object_class = user ldap_group_object_class = group cache_credentials = True krb5_realm = DOMAIN.COM krb5_kdcip = usherdc103.domain.com,usherdc104.domain.com krb5_chanegpw_principle = kadmin/changepw
wtf am I doing wrong, and is ldap for authentication better then krb5? or should I stick with ldap for authorization and krb5 for authentication?
If you want to use Kerberos authentication "auth_provider = krb5" is missing in your configuration.
It is not clear to me what is already working for you and where the issues start. Is it already the id part or only authentication? Does 'getent passwd user_from_ad' or 'id user_from_ad' return any results? It would be nice if you can send logs files with 'debug_level = 9'. Please be aware that ldap_default_authtok can be found in the log files.
bye, Sumit
Thank you.
sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel