On Mon, 22 Feb 2016, Patrice Peterson wrote:
Hey list,
I have joined a CentOS 7 host to an AD domain using a fairly new version of
adcli (one of the versions that has this [0] bug fixed). In its keytab, this
host has a service principal of the form 'host/fqdn@REALM' (i.e. lowercase).
User lookups with SSSD don't work, and the SSSD log says "Client
'host/fdqn@REALM' not found in Kerberos database. Unable to create
GSSAPI-encrypted LDAP connection."
However, if I use the 'old' adcli to join the node and create the keytab, it
creates a service principal of the form 'HOST/fqdn@REALM'. With this keytab,
I can do username lookups just fine.
Should this be considered a bug? Is there a way to make service principal
lookups w/SSSD case insensitive? I would like to keep the lower-case
principal names in my keytabs, because OpenSSH GSSAPI auth only works with
those.
Thanks for any pointers!
SSSD with a normal AD joined machine would use the SHORTHOST$@REALM entry, not
any of the others. That one's the only one that's a userPrincipal by default
(although you can choose *one* additional userPrincipal if you require).
You can test this on the command line as it's the only one kinit -k will work
with:
# These work
kinit -k SHORTHOST$
kinit -k SHORTHOST$\(a)DS.LEEDS.AC.UK
# These do not work
kinit -k host/fqdn
kinit -k host/fqdn\(a)DS.LEEDS.AC.UK
So I'm not entirely sold on your diagnosis being correct.
jh