Can you paste how exactly the ldap_uri line looks? I presume you
like to try the service discovery first and if that fails, fall back to
a hardcoded hostname. In that case, ldap_uri should say:
ldap_uri = _srv_, adserver.example.com
Ok, I have omitted the _srv_. I know the configuration is not logical, but SSSD
should bind to adsever.example.com
. But it does not - it
tries to do _srv_ lookup anyway. It is a small bug, but it should be fixed I think.
> 2. SSSD is unable to detect default Kerberos realm as per
/etc/krb5.conf - I have to configure it manually
> 3. Why do we actually need to specify Kerberos realm and KDC? Isn't
/etc/krb5.conf supposed to record these kind of parameters?
I think this has both historical (we used to say you don't need
/etc/krb5.conf at all with SSSD) and practical reasons - there can be more
SSSD domains with different realms and KDCs at the same time.
I can not agree with
that statement for 2 reasons:
1. Man page says:
Specify the Kerberos REALM (for SASL/GSSAPI auth).
Default: System defaults, see /etc/krb5.conf
2. We *do* need /etc/krb5.conf as the whole rest of the OS (automounter, openldap library,
Kerberos tools) depend on it.
So I believe it should work the following way:
If no realm specified, take it from /etc/krb5.conf
If no default realm in /etc/krb5.conf defined, derive it from /dns_discovery_domain/
If no dns_discovery_domain parameter specified, derive it from our default domain (i.e.
the way it works now).
How does it sound?
The information contained in this e-mail and in any attachments is confidential and is
designated solely for the attention of the intended recipient(s). If you are not an
intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or
any part thereof. If you have received this e-mail in error, please notify the sender by
return e-mail and delete all copies of this e-mail from your computer system(s).
Please direct any additional queries to: communications(a)s3group.com.
Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073.
Registered Office: South County Business Park, Leopardstown, Dublin 18