Hi,
I'm in an environment with several AD sites, each with a DC. When remote sites' DCs are unreachable because of a VPN outage, I'm not able to complete password authentication with sudo.
Does sssd_krb5_locator_plugin.so work with sssd-ad? Do I need to put anything in krb5.conf to activate it? I can see ldap_child is trying to connect on port 88 to all the wrong DCs when I enter a password in sudo. In the logs I see "[krb5_auth_done] (0x0100): Backend is marked offline, retry later!".
I'm using sss_ssh_authorizedkeys to log in, so password authentication isn't involved until I sudo. To get this far I had to set dns_resolver_timeout = 30 under [domain/mydomain] in sssd.conf. Before that, AD site discovery was failing; it would look up the DCs, time out after 6 seconds connecting to one of the remote DCs by LDAP, and mark the domain as offline.
I also had to set ad_gpo_access_control = disabled; gpo_child was trying to connect to the wrong DCs on port 88.
Thanks,
Mike