Okay, I'm seeing something in my logs that points to why I'm not
authenticating with pam_sss.so, and it may be unique to our
environment here at HP, although I suspect others will eventually
have the same situation.
The issue, I think, is that we use email addresses as part of our
uid (and dn) attributes, and the '@' sign is getting interpreted as
part of a Kerberos realm identifier. In /var/log/secure, for
example, I'm seeing " login: pam_sss(login:auth): system info:
[Cannot resolve servers for KDC in realm "HP.COM"] ", while in
/var/log/sssd/krb5_child.log for the same timestamp there's "[[sssd[krb5_child[16801]]]]
[get_and_save_tgt] (0x0020): 977: [-1765328164][Cannot resolve
servers for KDC in realm "HP.COM"]", while
/var/log/sssd/ldap_child.log shows the correct realm, "[[sssd[ldap_child[16791]]]]
[unpack_buffer] (0x1000): got realm_str: AMERICAS.CPQCORP.NET" from
the /etc/krb5.keytab file.
So: is there something in pam_sss.so that needs to be 'fixed' to get
around this problem?
--
Harry Sutton
Global Solutions Support Engineering (GSSE)
GSD Customer Solution Center
Technology Services, Enterprise Group