9:52 a.m.
All,
When I was first crafting my sssd.conf file, I very much attempted to make
all my sssd domains upper-case. Because in my (naive) view, an AD domain
is just a Kerberos realm (+ LDAP + nice admin screens).
As you know, Kerberos is very much case-sensitive. (Technically, AD is
not. but the convention in the /etc/krb5.conf file is to always put
Kerberos realms in upper case).
Back to sssd.
When sssd auto-discovered the other parent and child domains, it discovered
them in lower case. I was left with a mix of upper and lower-case sssd
domains. Even worse, the one local AD domain showed up twice. Once in
upper-case (explicitly defined in sssd.conf) and once in lower-case
(auto-discovered).
Eventually, I gave up and went with the (apparently recommended sssd)
convention of lower-case sssd domain names. In the domain definition, I
list the krb5_realm in upper case:
[domain/amer.example.com]
...
krb5_realm = AMER.EXAMPLE.COM
This is extremely unimportant (lower case works). But is there an option
to auto-discover sssd domains in upper case?
Spike
3:40 p.m.
New subject: auto-discovering sssd domains in upper case? (one small nit)...
On (22/02/20 09:52), Spike White wrote:
All,
When I was first crafting my sssd.conf file, I very much attempted to make
all my sssd domains upper-case. Because in my (naive) view, an AD domain
is just a Kerberos realm (+ LDAP + nice admin screens).
As you know, Kerberos is very much case-sensitive. (Technically, AD is
not. but the convention in the /etc/krb5.conf file is to always put
Kerberos realms in upper case).
Back to sssd.
When sssd auto-discovered the other parent and child domains, it discovered
them in lower case. I was left with a mix of upper and lower-case sssd
domains. Even worse, the one local AD domain showed up twice. Once in
upper-case (explicitly defined in sssd.conf) and once in lower-case
(auto-discovered).
Eventually, I gave up and went with the (apparently recommended sssd)
convention of lower-case sssd domain names. In the domain definition, I
list the krb5_realm in upper case:
[domain/amer.example.com]
...
krb5_realm = AMER.EXAMPLE.COM
This is extremely unimportant (lower case works). But is there an option
to auto-discover sssd domains in upper case?
SSSD domain is not the same as kerberos realm name.
Usually, tools like ipa-client-install and realmd generate
lower-case version of krb5 realm because it is simpler :-)
But you could use any name for sssd.
e.g.
[domain/at_work]
...
krb5_realm = AMER.EXAMPLE.COM
[domain/at_fedora]
...
krb5_realm = FEDORAPROJECT.ORG
[domain/home]
...
krb5_realm = MYAD.TEST.NET
User "johny@at_work" will get a krb5 ticket with principal
johny(a)AMER.EXAMPLE.COM
Some domains (usually AD) have enabled option "case_sensitive = true" in domain
section (by default with id_provider ad)
Therefore getent passwd johny@at_work and johny@AT_WORK will return the same
ID. But getent passwd johny(a)AMER.EXAMPLE.COM will not return anything
because such sssd domain does not exist :-)
And vice versa, kinit johny(a)AMER.EXAMPLE.COM will work but kinit johny@AT_WORK
will not work.
HTH
LS
3:48 a.m.
New subject: auto-discovering sssd domains in upper case? (one small nit)...
On 2/22/20 4:52 PM, Spike White wrote:
All,
When I was first crafting my sssd.conf file, I very much attempted to
make all my sssd domains upper-case. Because in my (naive) view, an AD
domain is just a Kerberos realm (+ LDAP + nice admin screens).
As you know, Kerberos is very much case-sensitive. (Technically, AD is
not. but the convention in the /etc/krb5.conf file is to always put
Kerberos realms in upper case).
Back to sssd.
When sssd auto-discovered the other parent and child domains, it
discovered them in lower case. I was left with a mix of upper and
lower-case sssd domains. Even worse, the one local AD domain showed up
twice. Once in upper-case (explicitly defined in sssd.conf) and once in
lower-case (auto-discovered).
Eventually, I gave up and went with the (apparently recommended sssd)
convention of lower-case sssd domain names. In the domain definition, I
list the krb5_realm in upper case:
[domain/amer.example.com <http://amer.example.com>]
...
krb5_realm = AMER.EXAMPLE.COM <http://AMER.EXAMPLE.COM>
This is extremely unimportant (lower case works). But is there an
option to auto-discover sssd domains in upper case?
Lukas summarized the case sensitivity and difference between sssd domain
and realm pretty good so just to answer your question - no, we currently
do not have any option to set auto-discovered domain name format.
Spike
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
1515
days inactive
1518
days old
sssd-users@lists.fedorahosted.org
2 comments
3 participants
participants (3)
-
Lukas Slebodnik -
Pavel Březina -
Spike White