On Wed, Jan 06, 2016 at 01:11:50PM +0000, Longina Przybyszewska wrote:
Thank you for the answers. There are still some issues:
I tried login with setup for UPN/sAMAccountName login- without success. Is login with cross realm's UPN or short sAMAccoutName supported in this
sssd version?
In database for default domain cache_a.c.realm.db user object has
following names (for 'use_fully_qualified_names = true' setup):
dn: name = user1@n.c.realm ... name: user1@n.c.realm nameAlias. user1@n.c.realm UserPrincipalName: user1@REALM canonicalUserPrincipalName: user1@N.C.REALM
The plain sAMAccoutName 'user1' will not work because use_fully_qualified_names = true. What should work is 'DOM\user1' where DOM is the NetBIOS domain name of n.c.realm domain. Additionally I would expect that user1@REALM should work.
Right. user1@n.c.realm and DOM\user1 login works.
Login as user1@REALM (and user1@realm) does not work.
hm, that's odd, can you send me the logs when trying to login with user1@REALM?
getent passwd user1@realm user1@n.c.realm@a.c.realm:*:10002:30000000::/home/user1:/bin/bash
'user1@n.c.realm@a.c.realm' looks odd, do you map the user name to an attribute other than sAMAccoutName?
The best would be able to login with sAMAccountName; The next best with upn, then with fqdn.
I tried without success the following setup for login with short names : [nss] subdomain_inherit = ldap_user_principal
[domain/..] .. ldap_user_principal = sAMAccountName
this won't work because ldap_user_principal value is used as a Kerberos principal without further processing.
You might want to try the 'default_domain_suffix' option, see man sssd.conf for details.
Localauth plugin: the option : krb5_confd_path = /var/lib/sss/pubconf/krb5.conf.d
-does not create that directory (I understand from the doc that sssd should take care about it);
no, SSSD expects the directory to be present, it should be create during the package installation.
This is the content of /var/lib/sss/pubconf :
ls /var/lib/sss/pubconf/ kdcinfo A.C.REALM krb5.conf.d krb5.include.d
'krb5.conf.d' I have created manually ; After removing everything in /var/lib/sss/{db,mc,pubconf}/* and restarting sssd 'krb5.include.d' disappeared.
yes, as said, SSSD does not create the directory for the krb5 config snippets.
[sssd[be[a.c.realm]]] [sss_write_domain_mappings] (0x0200): Mapping file for domain [a.c.realm] is [/var/lib/sss/pubconf/krb5.include.d/domain_realm_a_c_realm] [sssd[be[a.c.realm]]] [sss_write_domain_mappings] (0x0040): creating the
temp file [/var/lib/sss/pubconf/krb5.include.d/domain_realm_a_c_realmU4PYcJ] for domain-realm mappings failed.
[sssd[be[a.c.realm]]] [sss_write_domain_mappings] (0x0080): Could not remove file
[/var/lib/sss/pubconf/krb5.include.d/domain_realm_a_c_realmU4P<B0>]: [2]: No such file or directory ....
ls -ld drwxr-xr-x 2 root root 4096 Dec 16 16:08 /var/lib/sss/pubconf/krb5.conf.d/
It looks SSSD still tries the default location, did you put krb5_confd_path in the right [domain/..] section?
Yes. ... [domain/a.c.realm] ... krb5_confd_path = /var/lib/sss/pubconf/krb5.conf.d
I still cannot reproduce this with my Fedora builds. Maybe it is an issue in the Ubuntu build, I'll try to reproduce on Ubuntu.
Default value for option 'krb5_canonicalize' is FALSE; I set 'canonicalize' to 'true' in krb5.conf - is it enough? I understand from docs
localauth plugin needs it.
The AD provider has krb5_use_enterprise_principal=true which implicitly set krb5_canonicalize=true as well.
I do have 'id_provider = ad' in sssd.conf.
From the log: sssd_a.c.realm.log ... [sssd[be[a.c.realm]]] [dp_get_options] (0x0400): Option ldap_sasl_canonicalize is FALSE [sssd[be[a.c.realm]]] [dp_get_options] (0x0400): Option krb5_canonicalize is FALSE [sssd[be[a.c.realm]]] [dp_copy_options_ex] (0x0400): Option krb5_canonicalize is FALSE [sssd[be[a.c.realm]]] [dp_copy_options_ex] (0x0400): Option ldap_sasl_canonicalize is FALSE [sssd[be[a.c.realm]]] [groups_by_user_done] (0x2000): Failed to canonicalize name, using [a1test@c.realm@a.c.realm] [2]: No such file or directory. ..
However , have found in krb5_child.log: [[sssd[krb5_child[12000]]]] [set_canonicalize_option] (0x0100): SSSD_KRB5_CANONICALIZE is set to [true]
this is the important one.
[[sssd[krb5_child[12000]]]] [main] (0x0400): Will perform ticket renewal [[sssd[krb5_child[12000]]]] [renew_tgt_child] (0x1000): Renewing a ticket [[sssd[krb5_child[12000]]]] [sss_child_krb5_trace_cb] (0x4000): [12000] 1451929488.830638: Retrieving a1test@C.REALM -> krbtgt/C.REALM@C.REALM from FILE:/tmp/krb5cc_10009_q4a2wo with result: 0/Success
[[sssd[krb5_child[12000]]]] [sss_child_krb5_trace_cb] (0x4000): [12000] 1451929488.830681: Get cred via TGT krbtgt/C.REALM@C.REALM after requesting krbtgt/C.REALM@C.REALM (canonicalize off)
Best, Longina _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org