On Thu, Nov 20, 2014 at 06:09:42PM +0100, Joschi Brauchle wrote:
Hello,
We have a linux machine with a hostname that is longer than 19 characters.
AFAIK the SamAccountName attribute in AD is limited to at most 20 characters
(inkl. trailing $). I.e. the usable characters is at most 19.
In many AD docs it is stated that a Windows hostname should not exceed 15
characters for backward compatibility, but we do not really care about that.
Could you comment on how does SSSD pick the principal / username name to use
for kerberos / ldap authentication / reading the keytab / and so on in the
case of the hostname being longer than 19 characters?
I could not find anything in the docs of sssd-ad about this.
Will it use
1) UNRESTRICTED_VERY_LONG_HOSTNAME$
This one. In general, SSSD matches principals in this order:
hostname@REALM
SHORT_HOSTNAME$@REALM
host/hostname@REALM
*$@REALM
host/*@REALM
host/*@*
If none of the above match, we pick the first principal. The asterisk
acts a wildcard.
2) 19_CHARACTERS_HOSTNAME$
3) 15_CHAR_HOSTNAME$
?
Thanks for clarifying. It will help us deciding on how to proceed with hosts
with long host names.
The safest approach is to manually set ldap_sasl_authid to the right
principal.