On Wed, Aug 17, 2011 at 10:53:38AM +0200, Ondrej Valousek wrote:
Can you paste how exactly the ldap_uri line looks? I presume you
like to try the service discovery first and if that fails, fall back to
a hardcoded hostname. In that case, ldap_uri should say:
ldap_uri = _srv_, adserver.example.com
Ok, I have omitted the _srv_. I know the configuration is not logical, but
SSSD should bind to adsever.example.com
. But it does not - it tries to do
_srv_ lookup anyway. It is a small bug, but it should be fixed I think.
Let's identify it and get it filed.
Can you paste the relevant part of your config file? Feel free to
sanitize sensitive parts like hostnames, etc. What is the desired order
of resolving? SRV first, then hardcoded host name?
2. SSSD is unable to detect default Kerberos realm as per
/etc/krb5.conf - I have to configure it manually
3. Why do we actually need to specify Kerberos realm and KDC? Isn't /etc/krb5.conf
supposed to record these kind of parameters?
I think this has both historical (we used to say you don't need
/etc/krb5.conf at all with SSSD) and practical reasons - there can be more
SSSD domains with different realms and KDCs at the same time.
I can not agree with that statement for 2 reasons:
1. Man page says:
Specify the Kerberos REALM (for SASL/GSSAPI auth).
Default: System defaults, see /etc/krb5.conf
Thank you for bringing this up. I was only looking at the sssd-krb5
manual page where we correctly state that the realm is required.
The snipped you posted is from the sssd-ldap manual page and it used to
be correct - the code that primes the ccache for GSSAPI-backed LDAP is
able to autodetect the realm from krb5.conf. But then we added
online/offline callback that require the realm at provider startup if
GSSAPI is requested, so without an explicit realm the provider does not
I have filed https://fedorahosted.org/sssd/ticket/970
to track this bug.
Please note that the difference in requiring the realm in the LDAP and
Kerberos providers in tracked by https://fedorahosted.org/sssd/ticket/570
which is currently deferred, but maybe it is time to reconsider it given
it is confusing our users.
2. We do need /etc/krb5.conf as the whole rest of the OS
openldap library, Kerberos tools) depend on it.
So I believe it should work the following way:
If no realm specified, take it from /etc/krb5.conf
If no default realm in /etc/krb5.conf defined, derive it from
If no dns_discovery_domain parameter specified, derive it from our default
domain (i.e. the way it works now).
Given the TXT realm discovery can potentionally be dangerous, I think it
needs to be explicitly turned on by specifying 'krb5_realm = _txt_'
similar to how can one specify SRV lookups.