Ondrej Valousek said the following on 05/03/2013 04:16 PM:
> Also, many options from the ldap provider works for ad provider, too - it is a little secret :)
> O.

work - as in setting an ldap_.. setting - is also used by ad provider -
os do I rename the settting to ad_.. ?
>
> -----Original Message-----
> From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Ondrej Valousek
> Sent: Friday, May 03, 2013 4:14 PM
> To: End-user discussions about the System Security Services Daemon
> Subject: Re: [SSSD-users] finding user - but says ldap result empty
>
> Yes, Kerberos binding is in use in case of the ad provider. But you can override Kerberosl realm configuration in sssd.conf (moreover, several realms can be configured in krb5.conf - I do not see the conflict). All you need is valid machine principal in /etc/krb5.keytab which can be easily obtained with 'net ads join'.
> To me, the Kerberos setup is much easier/safer than hassling with the ldap bind user.
I would like to do that - but it still requires me to manually login to
100+ servers, and add them to the domain :(

I'll try to make it work with the ad provider - while hoping someone
knows whats up with the ldap provider, so I can use puppet to rollout
ldap config to all for now (and then setup puppet to switch to ad
provider - if the host has been joined to the AD :)

should I use samba3 or samb4 version - for net ads join ? (does it matter).

AFAIK samba3 should be fine - when I'm only going to have linux clients,
right?

--
Regards,
Klavs Klavsen, GSEC - kl@vsen.dk - http://www.vsen.dk - Tlf. 61281200

"Those who do not understand Unix are condemned to reinvent it, poorly."
   --Henry Spencer

_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users