On Wed, Aug 2, 2017 at 8:54 AM, Jakub Hrozek <jhrozek@redhat.com> wrote:
On Wed, Aug 02, 2017 at 02:43:35PM +0200, Jakub Hrozek wrote:
> On Wed, Aug 02, 2017 at 09:46:43AM +0200, Lukas Slebodnik wrote:
> > On (02/08/17 09:43), Jakub Hrozek wrote:
> > >On Tue, Aug 01, 2017 at 04:46:32PM -0400, Louis Garcia wrote:
> > >> In fedora 26 where should sssd.conf live? /etc/sssd/  or  /etc/sssd/conf.d/
> > >> ??
> > >
> > >Ah, in fedora-26, this setup might be a bit more problematic because
> > >sssd by default serves files already. Can you try something like this
> > >please (untested):
> > >
> > IMHO it is not more problematic it's simpler :-)
>
> Yeah, but users who upgrade (or follow my old blog post) get stuck. I
> can update the blog post, not sure what else can we do about the
> existing configurations except for hardcoding id_provider=proxy and
> proxy_lib_name=files.

sorry, I meant "hardcoding a check if the user is already running
id_provider=proxy with lib_name=files and disabling the implicit domain,
then". Because the user is already running pretty much the same
configuration as the files provider, but because the implicit files are
always configured before the explicit domains, this kind of explicit
domain is never reached..

>
> >
> > >[sssd]
> > >services = nss, pam
> > ># this was missing in your original config
> > >domains = kerberos
> > >
> > >[nss]
> > >filter_groups = root
> > >filter_users = root
> > >
> > >[pam]
> > >offline_credentials_expiration = 2
> > >offline_failed_login_attempts = 3
> > >offline_failed_login_delay = 5
> > >
> > >[domain/kerberos]
> > ># files provider instead of proxy
> > >id_provider = files
> > >
> > >auth_provider = krb5
> > >chpass_provider = krb5
> > >krb5_realm = MONTCLAIRE.LOCAL
> > >krb5_server = panther.montclaire.local
> > >
> > >cache_credentials = True
> > >krb5_store_password_if_offline = True
> >
> > If that configuration does not help then please follow our troubleshooting wiki
> > https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html#troubleshooting-authentication-password-change-and-access-control
> >
> > LS
> > _______________________________________________
> > sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> > To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
> _______________________________________________
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org


Ok I'm still not logged on to my realm but I got new logs. Not sure if this list accepts attachments but sssd_kerberos.log is quite long.
In that log i see user: louisgtwo@kerberos which is not right. I login to my realm as louisgtwo@MONTCLAIRE.LOCAL

sssd.conf:
[sssd]
services = nss, pam
domains = kerberos

[nss]
filter_groups = root
filter_users = root

[pam]
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5

[domain/kerberos]
id_provider = files
debug_level = 5

auth_provider = krb5
chpass_provider = krb5
krb5_realm = MONTCLAIRE.LOCAL
krb5_server = panther.montclaire.local

cache_credentials = True
krb5_store_password_if_offline = True