Thank you for the answers.
There are still some issues:
> 2.
> I tried login with setup for UPN/sAMAccountName login- without success.
> Is login with cross realm's UPN or short sAMAccoutName supported in this
sssd version?
>
> In database for default domain cache_a.c.realm.db user object has
following names (for 'use_fully_qualified_names = true' setup):
>
> dn: name = user1(a)n.c.realm ...
> name: user1(a)n.c.realm
> nameAlias. user1(a)n.c.realm
> UserPrincipalName: user1@REALM
> canonicalUserPrincipalName: user1(a)N.C.REALM
The plain sAMAccoutName 'user1' will not work because
use_fully_qualified_names = true. What should work is 'DOM\user1' where
DOM is the NetBIOS domain name of n.c.realm domain. Additionally I would
expect that user1@REALM should work.
Right. user1(a)n.c.realm and DOM\user1 login works.
Login as user1@REALM (and user1@realm) does not work.
getent passwd user1@realm
user1@n.c.realm@a.c.realm:*:10002:30000000::/home/user1:/bin/bash
The best would be able to login with sAMAccountName;
The next best with upn, then with fqdn.
I tried without success the following setup for login with short names :
[nss]
subdomain_inherit = ldap_user_principal
[domain/..]
..
ldap_user_principal = sAMAccountName
> 3.
> Localauth plugin:
> the option :
> krb5_confd_path = /var/lib/sss/pubconf/krb5.conf.d
>
> -does not create that directory (I understand from the doc that sssd
> should take care about it);
no, SSSD expects the directory to be present, it should be create during the
package installation.
This is the content of /var/lib/sss/pubconf :
ls /var/lib/sss/pubconf/
kdcinfo A.C.REALM krb5.conf.d krb5.include.d
'krb5.conf.d' I have created manually ;
After removing everything in /var/lib/sss/{db,mc,pubconf}/* and restarting sssd
'krb5.include.d' disappeared.
> [sssd[be[a.c.realm]]] [sss_write_domain_mappings] (0x0200): Mapping
> file for domain [a.c.realm] is
> [/var/lib/sss/pubconf/krb5.include.d/domain_realm_a_c_realm]
> [sssd[be[a.c.realm]]] [sss_write_domain_mappings] (0x0040): creating the
temp file
[/var/lib/sss/pubconf/krb5.include.d/domain_realm_a_c_realmU4PYcJ] for
domain-realm mappings failed.
> [sssd[be[a.c.realm]]] [sss_write_domain_mappings] (0x0080): Could not
> remove file
[/var/lib/sss/pubconf/krb5.include.d/domain_realm_a_c_realmU4P<B0>]:
[2]: No such file or directory ....
> ls -ld
> drwxr-xr-x 2 root root 4096 Dec 16 16:08
> /var/lib/sss/pubconf/krb5.conf.d/
It looks SSSD still tries the default location, did you put krb5_confd_path in
the right [domain/..] section?
Yes.
...
[domain/a.c.realm]
...
krb5_confd_path = /var/lib/sss/pubconf/krb5.conf.d
>
> Default value for option 'krb5_canonicalize' is FALSE; I set
> 'canonicalize' to 'true' in krb5.conf - is it enough? I understand
from docs
localauth plugin needs it.
The AD provider has krb5_use_enterprise_principal=true which implicitly set
krb5_canonicalize=true as well.
I do have 'id_provider = ad' in sssd.conf.
From the log:
sssd_a.c.realm.log
...
[sssd[be[a.c.realm]]] [dp_get_options] (0x0400): Option ldap_sasl_canonicalize is FALSE
[sssd[be[a.c.realm]]] [dp_get_options] (0x0400): Option krb5_canonicalize is FALSE
[sssd[be[a.c.realm]]] [dp_copy_options_ex] (0x0400): Option krb5_canonicalize is FALSE
[sssd[be[a.c.realm]]] [dp_copy_options_ex] (0x0400): Option ldap_sasl_canonicalize is
FALSE
[sssd[be[a.c.realm]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using
[a1test@c.realm(a)a.c.realm] [2]: No such file or directory.
..
However , have found in krb5_child.log:
[[sssd[krb5_child[12000]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is
set to [true]
[[sssd[krb5_child[12000]]]] [main] (0x0400): Will perform ticket renewal
[[sssd[krb5_child[12000]]]] [renew_tgt_child] (0x1000): Renewing a ticket
[[sssd[krb5_child[12000]]]] [sss_child_krb5_trace_cb] (0x4000): [12000]
1451929488.830638: Retrieving a1test(a)C.REALM -> krbtgt/C.REALM(a)C.REALM from
FILE:/tmp/krb5cc_10009_q4a2wo with result: 0/Success
[[sssd[krb5_child[12000]]]] [sss_child_krb5_trace_cb] (0x4000): [12000]
1451929488.830681: Get cred via TGT krbtgt/C.REALM(a)C.REALM after requesting
krbtgt/C.REALM(a)C.REALM (canonicalize off)
Best,
Longina