On Wed, Apr 23, 2014 at 03:33:44PM +1000, Jacob Taylor wrote:
Hi guys,
I'm in a pickle: I'm trying to configure a domain in SSSD to both perform all the usual AD authentication wizardry, and at the same time perform LDAP Sudo lookup in the directory too. The AD schema has been extended.
It seems it doesn't like both LDAP and AD directives in the same domain, but doesn't Sudo require LDAP and not AD? I know that's how it works for IPA.
Has anyone gotten this working? I'm scratching my head. It works without the sudo bit.
Does it work if you drop the enumerate=true line? We've had a bug recently, where, if you configured two provider types (like ldap and ad in your case) the enumeration tasks would clash: https://fedorahosted.org/sssd/ticket/2153
If it still doesn't work, can you enable debug_level in the sudo and domain sections to see if the logs shed any light?
The client$ principal is usually the right one, btw. host/client.fqdn is often not allowed to acquire a TGT (it's a service account only).
And finally, the recent versions of sssd include a sudo_provider=ad to cover exactly this use-case: https://fedorahosted.org/sssd/ticket/2256
I hope this helps.