Hi Folks, I currently have SSSD-AD working exactly as I want it, less one drawback - I have to include the AD domain prefix everywhere to get things working. For example, we are whoi.edu, and in non-AD DNS, all of our hosts are $hostname.whoi.edu. We'll call our AD domain 'adwhoi' for this discussion. To get things working cleanly, Ansible reconfigures each host right before the AD join to use the hostname $hostname.adwhoi.whoi.edu instead of $hostname.whoi.edu. Hosts join AD via adcli and set the usual UPN and SPNs. AD-based identity and authentication works just fine. GSSAPI auth works fine. Users are granted a valid TGT upon login. Root can kinit the host keytab fine. Deploying a new major release of Linux is always an opportunity to make a clean break and fix annoyances like this, so I'd love to know how we can get all of the above working, but without having to include the domain prefix in our hostnames and in our ssh references. I've done a fair bit of digging on this while setting up our AD join scheme and authoring our Ansible code, but I've never been able to crack this issue, so I'd love it if someone could clue me in. Here's some of the relevant files in case they are helpful: =========================================================================================== /etc/sssd/sssd.conf: [sssd] domains = adwhoi.whoi.edu services = nss, pam debug_level = 3 [domain/adwhoi.whoi.edu] krb5_store_password_if_offline = True cache_credentials = True krb5_realm = ADWHOI.WHOI.EDU id_provider = ad fallback_homedir = /home/%u override_homedir = /home/%u default_shell = /bin/bash ad_domain = adwhoi.whoi.edu use_fully_qualified_names = False ldap_id_mapping = False access_provider = ad ad_gpo_access_control = disabled ad_server = jimbob.adwhoi.whoi.edu,cleetus.adwhoi.whoi.edu ad_backup_server = jedidiah.adwhoi.whoi.edu ad_maximum_machine_account_password_age = 0 ldap_referrals = False =========================================================================== /etc/krb5.conf [libdefaults] default_realm = ADWHOI.WHOI.EDU rdns = False dns_canonicalize_hostname = False # The following krb5.conf variables are only for MIT Kerberos. kdc_timesync = 1 ccache_type = 4 forwardable = true proxiable = true # The following libdefaults parameters are only for Heimdal Kerberos. fcc-mit-ticketflags = true [realms] ADWHOI.WHOI.EDU = { kdc = jimbob.adwhoi.whoi.edu kdc = cleetus.adwhoi.whoi.edu kdc = jedidiah.adwhoi.whoi.edu admin_server = jimbob.adwhoi.whoi.edu default_domain = adwhoi.whoi.edu } [domain_realm] .adwhoi.whoi.edu = ADWHOI.WHOI.EDU adwhoi.whoi.edu = ADWHOI.WHOI.EDU =========================================================================== Example keytab: Keytab name: FILE:/etc/krb5.keytab KVNO Principal ---- -------------------------------------------------------------------------- 2 SOMEHOST$(a)ADWHOI.WHOI.EDU (arcfour-hmac) 2 SOMEHOST$(a)ADWHOI.WHOI.EDU (aes128-cts-hmac-sha1-96) 2 SOMEHOST$(a)ADWHOI.WHOI.EDU (aes256-cts-hmac-sha1-96) 2 host/somehost.adwhoi.whoi.edu(a)ADWHOI.WHOI.EDU (arcfour-hmac) 2 host/somehost.adwhoi.whoi.edu(a)ADWHOI.WHOI.EDU (aes128-cts-hmac-sha1-96) 2 host/somehost.adwhoi.whoi.edu(a)ADWHOI.WHOI.EDU (aes256-cts-hmac-sha1-96) 2 host/SOMEHOST(a)ADWHOI.WHOI.EDU (arcfour-hmac) 2 host/SOMEHOST(a)ADWHOI.WHOI.EDU (aes128-cts-hmac-sha1-96) 2 host/SOMEHOST(a)ADWHOI.WHOI.EDU (aes256-cts-hmac-sha1-96) 2 RestrictedKrbHost/SOMEHOST(a)ADWHOI.WHOI.EDU (arcfour-hmac) 2 RestrictedKrbHost/SOMEHOST(a)ADWHOI.WHOI.EDU (aes128-cts-hmac-sha1-96) 2 RestrictedKrbHost/SOMEHOST(a)ADWHOI.WHOI.EDU (aes256-cts-hmac-sha1-96) 2 RestrictedKrbHost/somehost.adwhoi.whoi.edu(a)ADWHOI.WHOI.EDU (arcfour-hmac) 2 RestrictedKrbHost/somehost.adwhoi.whoi.edu(a)ADWHOI.WHOI.EDU (aes128-cts-hmac-sha1-96) 2 RestrictedKrbHost/somehost.adwhoi.whoi.edu(a)ADWHOI.WHOI.EDU (aes256-cts-hmac-sha1-96) ========================================================================== Thanks! - Kodiak Firesmith Sent with [Proton Mail](https://proton.me/) secure email.