Hey list,
I have joined a CentOS 7 host to an AD domain using a fairly new version of adcli (one of
the versions that has this [0] bug fixed). In its keytab, this host has a service
principal of the form 'host/fqdn@REALM' (i.e. lowercase). User lookups with SSSD
don't work, and the SSSD log says "Client 'host/fdqn@REALM' not found in
Kerberos database. Unable to create GSSAPI-encrypted LDAP connection."
However, if I use the 'old' adcli to join the node and create the keytab, it
creates a service principal of the form 'HOST/fqdn@REALM'. With this keytab, I can
do username lookups just fine.
Should this be considered a bug? Is there a way to make service principal lookups w/SSSD
case insensitive? I would like to keep the lower-case principal names in my keytabs,
because OpenSSH GSSAPI auth only works with those.
Thanks for any pointers!
Best,
Patrice
[0]
https://bugs.freedesktop.org/show_bug.cgi?id=84749