Okay, I'm seeing something in my logs that points to why I'm not
authenticating with pam_sss.so, and it may be unique to our environment
here at HP, although I suspect others will eventually have the same
situation.
The issue, I think, is that we use email addresses as part of our uid
(and dn) attributes, and the '@' sign is getting interpreted as part of
a Kerberos realm identifier. In /var/log/secure, for example, I'm seeing
" login: pam_sss(login:auth): system info: [Cannot resolve servers for
KDC in realm "HP.COM"] ", while in /var/log/sssd/krb5_child.log for the
same timestamp there's "[[sssd[krb5_child[16801]]]] [get_and_save_tgt]
(0x0020): 977: [-1765328164][Cannot resolve servers for KDC in realm
"HP.COM"]", while /var/log/sssd/ldap_child.log shows the correct realm,
"[[sssd[ldap_child[16791]]]] [unpack_buffer] (0x1000): got realm_str:
AMERICAS.CPQCORP.NET" from the /etc/krb5.keytab file.
So: is there something in pam_sss.so that needs to be 'fixed' to get
around this problem?
--
*Harry Sutton*
Global Solutions Support Engineering (GSSE)
GSD Customer Solution Center
Technology Services, Enterprise Group