On Thu, Dec 17, 2015 at 02:42:39PM +0000, Longina Przybyszewska wrote:
Hi, I did some testing of sssd-13.2 version in Ubuntu-16.04 (ldap_idmapping = false) Login with fqdn in cross realm and Kerberos NFS automount seems to work almost out-of-the-box. This is great. I have still some questions:
In my setup, I have configured only for one domain - the domain where I join machine. SRV discovery can figure out all domains and figure out AD structure;
Is it still necessary make an explicit list of all domains in the 'domains' statement?
[sssd] .. domains = a.c.realm, n.c.realm, s.c.realm, c.realm ...
no, only domains which are configured explicitly in the [domain/...] sections must be listed here. For all other domains listed here you should get 'Unknown domain' messages in the logs.
I tried login with setup for UPN/sAMAccountName login- without success. Is login with cross realm's UPN or short sAMAccoutName supported in this sssd version?
In database for default domain cache_a.c.realm.db user object has following names (for 'use_fully_qualified_names = true' setup):
dn: name = user1@n.c.realm ... name: user1@n.c.realm nameAlias. user1@n.c.realm UserPrincipalName: user1@REALM canonicalUserPrincipalName: user1@N.C.REALM
The plain sAMAccoutName 'user1' will not work because use_fully_qualified_names = true. What should work is 'DOM\user1' where DOM is the NetBIOS domain name of n.c.realm domain. Additionally I would expect that user1@REALM should work.
Localauth plugin: the option : krb5_confd_path = /var/lib/sss/pubconf/krb5.conf.d
-does not create that directory (I understand from the doc that sssd should take care about it);
no, SSSD expects the directory to be present, it should be create during the package installation.
However after manually creating this directory I can see many fails in log:
[sssd[be[a.c.realm]]] [sss_write_domain_mappings] (0x0200): Mapping file for domain [a.c.realm] is [/var/lib/sss/pubconf/krb5.include.d/domain_realm_a_c_realm] [sssd[be[a.c.realm]]] [sss_write_domain_mappings] (0x0040): creating the temp file [/var/lib/sss/pubconf/krb5.include.d/domain_realm_a_c_realmU4PYcJ] for domain-realm mappings failed. [sssd[be[a.c.realm]]] [sss_write_domain_mappings] (0x0080): Could not remove file [/var/lib/sss/pubconf/krb5.include.d/domain_realm_a_c_realmU4P<B0>]: [2]: No such file or directory .... ls -ld drwxr-xr-x 2 root root 4096 Dec 16 16:08 /var/lib/sss/pubconf/krb5.conf.d/
It looks SSSD still tries the default location, did you put krb5_confd_path in the right [domain/..] section?
Default value for option 'krb5_canonicalize' is FALSE; I set 'canonicalize' to 'true' in krb5.conf - is it enough? I understand from docs localauth plugin needs it.
The AD provider has krb5_use_enterprise_principal=true which implicitly set krb5_canonicalize=true as well.
ldbsearch
Can I somehow (I do not think about log with high debug level) see all configured and default options for SSSD?
I'm afraid the answer is currently no.
bye, Sumit
Best, Longina
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org