-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 04/10/2013 11:04 AM, Sutton, Harry (GSSE) wrote:
Okay, I'm seeing something in my logs that points to why I'm
not
authenticating with pam_sss.so, and it may be unique to our
environment here at HP, although I suspect others will eventually
have the same situation.
The issue, I think, is that we use email addresses as part of our
uid (and dn) attributes, and the '@' sign is getting interpreted as
part of a Kerberos realm identifier. In /var/log/secure, for
example, I'm seeing " login: pam_sss(login:auth): system info:
[Cannot resolve servers for KDC in realm "HP.COM"] ", while in
/var/log/sssd/krb5_child.log for the same timestamp there's
"[[sssd[krb5_child[16801]]]] [get_and_save_tgt] (0x0020): 977:
[-1765328164][Cannot resolve servers for KDC in realm "HP.COM"]",
while /var/log/sssd/ldap_child.log shows the correct realm,
"[[sssd[ldap_child[16791]]]] [unpack_buffer] (0x1000): got
realm_str: AMERICAS.CPQCORP.NET" from the /etc/krb5.keytab file.
So: is there something in pam_sss.so that needs to be 'fixed' to
get around this problem?
You can change the domain delimiter in SSSD with the
re_expression option in the [sssd] section. By default it assumes
"user@DOMAIN", but you can swap it out for something else. See the
sssd.conf(5) manpage and search on 're_expression'.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird -
http://www.enigmail.net/
iEYEARECAAYFAlFlgUkACgkQeiVVYja6o6PomwCeJLoFKRVgZh7QKJdwxRJIEk6b
jXUAoIKooBrskgKtN0ifdHhtXAm2N/G6
=RpR7
-----END PGP SIGNATURE-----