I'm having trouble authenticating to an AD domain with a disjointed namespace using SSSD. Here's what I'm up against:

netbios domain name: BLAH

domain (& kerberos realm): DS.BLAH.COM

to join to the domain I have to have workgroup: BLAH in smb.conf, which is not generally how smb and winbind are config'ed (usually it would be DS instead of BLAH).

I can create a kerberos ticket for user@DS.BLAH.COM.

I can do an "id user@ds.blah.com" and get valid response.

but when I try to "su user@ds.blah.com" I get an invalid password, and a log entry indicating "[sssd[krb5_child[29198]]]: Cannot resolve servers for KDC in realm "BLAH.COM"". I'm assuming that it's looking for the KDC there because of the setting in smb.conf.

I'm running SSSD 1.9.2 on CentOS 6.5.

I've tried various settings googling around, and so my current sssd.conf file looks like:

[sssd]

services = nss, pam, ssh, pac

config_file_version = 2

domains = ds.blah.com

debug_level = 10

[nss]

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[domain/ds.blah.com]

cache_credentials = False

krb5_store_password_if_offline = False

id_provider = ad

auth_provider = ad

access_provider = ad

ad_server = dc1.ds.blah.com

ad_hostname = host.ds.blah.com

krb5_realm = DS.BLAH.COM

ad_domain = ds.blah.com

ad_enable_dns_sites = True

krb5_canonicalize = false

debug_level = 5

Any suggestions would be greatly appreciated.

===================================

Daniel Shown,
Linux Systems Administrator
Advanced Technology Group
Information Technology Services
at Saint Louis University.

314-977-2583

===================================

"The aim of education
is the knowledge,
not of facts,
but of values."
— William S. Burroughs

"I’m supposed to be

a scientific person

but I use intuition

more than logic

in making basic

decisions."

— Seymour R. Cray