Can you paste how exactly the ldap_uri line looks? I presume you would
like to try the service discovery first and if that fails, fall back to
a hardcoded hostname. In that case, ldap_uri should say:

ldap_uri = _srv_, adserver.example.com

Ok, I have omitted the _srv_. I know the configuration is not logical, but SSSD should bind to adsever.example.com. But it does not - it tries to do _srv_ lookup anyway. It is a small bug, but it should be fixed I think.

2. SSSD is unable to detect default Kerberos realm as per /etc/krb5.conf - I have to configure it manually

3. Why do we actually need to specify Kerberos realm and KDC? Isn't /etc/krb5.conf supposed to record these kind of parameters?

I think this has both historical (we used to say you don't need
/etc/krb5.conf at all with SSSD) and practical reasons - there can be more
SSSD domains with different realms and KDCs at the same time.

I can not agree with that statement for 2 reasons:
1. Man page says:
       krb5_realm (string)
           Specify the Kerberos REALM (for SASL/GSSAPI auth).

           Default: System defaults, see /etc/krb5.conf
2. We do need /etc/krb5.conf as the whole rest of the OS (automounter, openldap library, Kerberos tools) depend on it.

So I believe it should work the following way:
If no realm specified, take it from /etc/krb5.conf
If no default realm in /etc/krb5.conf defined, derive it from dns_discovery_domain parameter.
If no dns_discovery_domain parameter specified, derive it from our default domain (i.e. the way it works now).

How does it sound?

Ondrej

The information contained in this e-mail and in any attachments is confidential and is designated solely for the attention of the intended recipient(s). If you are not an intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or any part thereof. If you have received this e-mail in error, please notify the sender by return e-mail and delete all copies of this e-mail from your computer system(s). Please direct any additional queries to: communications@s3group.com. Thank You. Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office: South County Business Park, Leopardstown, Dublin 18