Jakub, you are my hero. :DS
===================================
*Daniel Shown,*
Linux Systems Administrator
Advanced Technology Group
Information Technology Services <
;.
314-977-2583
===================================
"The aim of education
is the knowledge,
not of facts,
but of values."
— William S. Burroughs
"I’m supposed to be
a scientific person
but I use intuition
more than logic
in making basic
decisions."
— Seymour R. Cray
On Thu, Aug 14, 2014 at 1:55 AM, Jakub Hrozek <jhrozek(a)redhat.com> wrote:
On Wed, Aug 13, 2014 at 12:03:55PM -0500, Daniel Shown wrote:
> I'm having trouble authenticating to an AD domain with a disjointed
> namespace using SSSD. Here's what I'm up against:
>
> netbios domain name: BLAH
> domain (& kerberos realm):
DS.BLAH.COM
> UPNs: username(a)BLAH.COM
>
> to join to the domain I have to have workgroup: BLAH in smb.conf, which
is
> not generally how smb and winbind are config'ed (usually it would be DS
> instead of BLAH).
> I can create a kerberos ticket for user(a)DS.BLAH.COM.
> I can do an "id user(a)ds.blah.com" and get valid response.
> but when I try to "su user(a)ds.blah.com" I get an invalid password, and a
> log entry indicating "[sssd[krb5_child[29198]]]: Cannot resolve servers
for
> KDC in realm "BLAH.COM"". I'm assuming that it's looking for
the KDC
there
> because of the setting in smb.conf.
>
> I'm running SSSD 1.9.2 on CentOS 6.5.
With sssd-1.11 which is coming to 6.6, this would work out of the box.
In 1.9, you can use a workaround.
Can you try setting:
ldap_user_principal = nosuchattribute # yes, literally
Normally, sssd uses the UPN attribute of the user. But if you override
the LDAP UPN attribute to something that doesn't exist, SSSD would
try to 'guess' the UPN with username@REALM.
I hope this helps.
>
> I've tried various settings googling around, and so my current sssd.conf
> file looks like:
>
> [sssd]
> services = nss, pam, ssh, pac
^^^
Do you really use the SSH integration, that is, do you have the
knownhosts set in sshd_conf? If not, you can remove the ssh responder.
> config_file_version = 2
>
> domains =
ds.blah.com
>
> debug_level = 10
> [nss]
>
> [pam]
>
> [sudo]
>
> [autofs]
>
> [ssh]
>
> [pac]
>
> [
domain/ds.blah.com]
> cache_credentials = False
> krb5_store_password_if_offline = False
The two above are defaults, you can safely remove them.
> id_provider = ad
> auth_provider = ad
> access_provider = ad
> ad_server =
dc1.ds.blah.com
> ad_hostname =
host.ds.blah.com
> krb5_realm =
DS.BLAH.COM
> ad_domain =
ds.blah.com
> ad_enable_dns_sites = True
> krb5_canonicalize = false
>
> debug_level = 5
>
>
> Any suggestions would be greatly appreciated.
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users