Okay, I'm seeing something in my logs that points to why I'm not authenticating with pam_sss.so, and it may be unique to our environment here at HP, although I suspect others will eventually have the same situation.

The issue, I think, is that we use email addresses as part of our uid (and dn) attributes, and the '@' sign is getting interpreted as part of a Kerberos realm identifier. In /var/log/secure, for example, I'm seeing " login: pam_sss(login:auth): system info: [Cannot resolve servers for KDC in realm "HP.COM"] ", while in /var/log/sssd/krb5_child.log for the same timestamp there's "[[sssd[krb5_child[16801]]]] [get_and_save_tgt] (0x0020): 977: [-1765328164][Cannot resolve servers for KDC in realm "HP.COM"]", while /var/log/sssd/ldap_child.log shows the correct realm, "[[sssd[ldap_child[16791]]]] [unpack_buffer] (0x1000): got realm_str: AMERICAS.CPQCORP.NET" from the /etc/krb5.keytab file.

So: is there something in pam_sss.so that needs to be 'fixed' to get around this problem?
--
Harry Sutton
Global Solutions Support Engineering (GSSE)
GSD Customer Solution Center
Technology Services, Enterprise Group