Hi, I did some testing of sssd-13.2 version in Ubuntu-16.04 (ldap_idmapping = false) Login with fqdn in cross realm and Kerberos NFS automount seems to work almost out-of-the-box. This is great. I have still some questions:
In my setup, I have configured only for one domain - the domain where I join machine. SRV discovery can figure out all domains and figure out AD structure;
1. Is it still necessary make an explicit list of all domains in the 'domains' statement?
[sssd] .. domains = a.c.realm, n.c.realm, s.c.realm, c.realm ...
2. I tried login with setup for UPN/sAMAccountName login- without success. Is login with cross realm's UPN or short sAMAccoutName supported in this sssd version?
In database for default domain cache_a.c.realm.db user object has following names (for 'use_fully_qualified_names = true' setup):
dn: name = user1@n.c.realm ... name: user1@n.c.realm nameAlias. user1@n.c.realm UserPrincipalName: user1@REALM canonicalUserPrincipalName: user1@N.C.REALM
3. Localauth plugin: the option : krb5_confd_path = /var/lib/sss/pubconf/krb5.conf.d
-does not create that directory (I understand from the doc that sssd should take care about it); However after manually creating this directory I can see many fails in log:
[sssd[be[a.c.realm]]] [sss_write_domain_mappings] (0x0200): Mapping file for domain [a.c.realm] is [/var/lib/sss/pubconf/krb5.include.d/domain_realm_a_c_realm] [sssd[be[a.c.realm]]] [sss_write_domain_mappings] (0x0040): creating the temp file [/var/lib/sss/pubconf/krb5.include.d/domain_realm_a_c_realmU4PYcJ] for domain-realm mappings failed. [sssd[be[a.c.realm]]] [sss_write_domain_mappings] (0x0080): Could not remove file [/var/lib/sss/pubconf/krb5.include.d/domain_realm_a_c_realmU4P<B0>]: [2]: No such file or directory .... ls -ld drwxr-xr-x 2 root root 4096 Dec 16 16:08 /var/lib/sss/pubconf/krb5.conf.d/
Default value for option 'krb5_canonicalize' is FALSE; I set 'canonicalize' to 'true' in krb5.conf - is it enough? I understand from docs localauth plugin needs it.
4. ldbsearch
Can I somehow (I do not think about log with high debug level) see all configured and default options for SSSD?
Best, Longina