Hello,
I'm trying to convert an existing nslcd/pam_krb5 based setup authenticationg against Active Direcctory to sssd/pam_sss.
I already succeeded in doing so as far as the nss-side of things is concerned.
Not so with pam_sss.so (pam_krb5.so works fine) because of the following reason:
When constructing a realm for authentication sssd seems to check for the ldap attribute specified as ldap_user_principal in sssd.conf. Later on a kerberos ticket is requested for the string found there.
What I have in sssd.conf is the following (as found in various howtos araount the web): ldap_user_principal = userPrincipalName
And this is why I get in trouble!
In my case userPrincipalName does contain an email address (user@dn) with a domain part _different_ to the kerberos realm.
Thus I end up having sssd trying to request a kerberos ticket for user@DN which will of course not work, because "DN" is not a valid kerberos realm.
I tried to reproduce this using kinit with varions Versions of this ldap atrribute.
Neither one of the following works: kinit user@dn kinit user@DN kinit user@dn@REALM
Only "user@REALM" and "user" work.
Thus I changed ldap_user_principal ins sssd.conf to the following: ldap_user_principal = sAMAccountName
This does seem to work now, but I would rather like to switch back to userPrincipalName again.
On windows it is possible to login either way: Using user@dn from userPrincipalName as well as the value from sAMAccountName.
Any Idea
Sven
On Fri, 2012-12-14 at 15:42 +0000, Sven Geggus wrote:
Hello,
I'm trying to convert an existing nslcd/pam_krb5 based setup authenticationg against Active Direcctory to sssd/pam_sss.
I already succeeded in doing so as far as the nss-side of things is concerned.
Not so with pam_sss.so (pam_krb5.so works fine) because of the following reason:
When constructing a realm for authentication sssd seems to check for the ldap attribute specified as ldap_user_principal in sssd.conf. Later on a kerberos ticket is requested for the string found there.
What I have in sssd.conf is the following (as found in various howtos araount the web): ldap_user_principal = userPrincipalName
And this is why I get in trouble!
In my case userPrincipalName does contain an email address (user@dn) with a domain part _different_ to the kerberos realm.
Thus I end up having sssd trying to request a kerberos ticket for user@DN which will of course not work, because "DN" is not a valid kerberos realm.
I tried to reproduce this using kinit with varions Versions of this ldap atrribute.
Neither one of the following works: kinit user@dn kinit user@DN kinit user@dn@REALM
Only "user@REALM" and "user" work.
Thus I changed ldap_user_principal ins sssd.conf to the following: ldap_user_principal = sAMAccountName
This does seem to work now, but I would rather like to switch back to userPrincipalName again.
On windows it is possible to login either way: Using user@dn from userPrincipalName as well as the value from sAMAccountName.
Any Idea
It's a limitation we currently have in sssd I am afraid.
Please open a ticket and we'll asses how soon we can address the issue.
Simo.
Simo Sorce simo@redhat.com wrote:
Please open a ticket and we'll asses how soon we can address the issue.
https://fedorahosted.org/sssd/ticket/1749
Regards
Sven
sssd-users@lists.fedorahosted.org