Ondrej Valousek said the following on 05/03/2013 04:16 PM:
Also, many options from the ldap provider works for ad provider, too
- it is a little secret :)
work - as in setting an ldap_.. setting - is also used by ad provider -
os do I rename the settting to ad_.. ?
[mailto:email@example.com] On Behalf Of Ondrej Valousek
Sent: Friday, May 03, 2013 4:14 PM
To: End-user discussions about the System Security Services Daemon
Subject: Re: [SSSD-users] finding user - but says ldap result empty
Yes, Kerberos binding is in use in case of the ad provider. But you can override
Kerberosl realm configuration in sssd.conf (moreover, several realms can be configured in
krb5.conf - I do not see the conflict). All you need is valid machine principal in
/etc/krb5.keytab which can be easily obtained with 'net ads join'.
To me, the Kerberos setup is much easier/safer than hassling with the ldap bind user.
I would like to do that - but it still requires me to manually login to
100+ servers, and add them to the domain :(
I'll try to make it work with the ad provider - while hoping someone
knows whats up with the ldap provider, so I can use puppet to rollout
ldap config to all for now (and then setup puppet to switch to ad
provider - if the host has been joined to the AD :)
should I use samba3 or samb4 version - for net ads join ? (does it matter).
AFAIK samba3 should be fine - when I'm only going to have linux clients,
Klavs Klavsen, GSEC - kl(a)vsen.dk - http://www.vsen.dk
- Tlf. 61281200
"Those who do not understand Unix are condemned to reinvent it, poorly."