I changed the default REALM in krb5.conf but that did not have any effect on logins. I had to change the order of domains = in sssd.conf for logins to switch over to the new default domain. Should not sssd respect default_realm = xx in krb5.conf? Using sssd 1.13.4
Jocke
On Mon, Aug 22, 2016 at 09:00:34AM +0000, Joakim Tjernlund wrote:
I changed the default REALM in krb5.conf but that did not have any effect on logins. I had to change the order of domains = in sssd.conf for logins to switch over to the new default domain. Should not sssd respect default_realm = xx in krb5.conf? Using sssd 1.13.4
no, default_realm is an option for libkrb5 which is used in the case when no realm is available. E.g. if default_realm is not set
kinit user
will fail while
kinit user@EXAMPLE.COM
will work (as long as kinit can find a KDC for EXAMPLE.COM and user@EXAMPLE.COM is know to the KDC).
If you set default_realm = MY_REALM.COM
kinit user
will try to get a ticket for user@MY_REALM.COM while
kinit user@EXAMPLE.COM
will still try to get a ticket for user@EXAMPLE.COM.
HTH
bye, Sumit
Jocke _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
On Tue, 2016-08-23 at 15:56 +0200, Sumit Bose wrote:
On Mon, Aug 22, 2016 at 09:00:34AM +0000, Joakim Tjernlund wrote:
I changed the default REALM in krb5.conf but that did not have any effect on logins. I had to change the order of domains = in sssd.conf for logins to switch over to the new default domain. Should not sssd respect default_realm = xx in krb5.conf? Using sssd 1.13.4
no, default_realm is an option for libkrb5 which is used in the case when no realm is available. E.g. if default_realm is not set
kinit user
will fail while
kinit user@EXAMPLE.COM
will work (as long as kinit can find a KDC for EXAMPLE.COM and user@EXAMPLE.COM is know to the KDC).
If you set default_realm = MY_REALM.COM
kinit user
will try to get a ticket for user@MY_REALM.COM while
kinit user@EXAMPLE.COM
will still try to get a ticket for user@EXAMPLE.COM.
Yes, this is what I would expect but when I login(over LXDM) with only user name I get a ticket for whatever domain which is listed first in domains = REALM1,REALM2 not the default realm krb5.conf: default_realm = REALM2
Jocke
On (23/08/16 14:15), Joakim Tjernlund wrote:
On Tue, 2016-08-23 at 15:56 +0200, Sumit Bose wrote:
On Mon, Aug 22, 2016 at 09:00:34AM +0000, Joakim Tjernlund wrote:
I changed the default REALM in krb5.conf but that did not have any effect on logins. I had to change the order of domains = in sssd.conf for logins to switch over to the new default domain. Should not sssd respect default_realm = xx in krb5.conf? Using sssd 1.13.4
no, default_realm is an option for libkrb5 which is used in the case when no realm is available. E.g. if default_realm is not set
kinit user
will fail while
kinit user@EXAMPLE.COM
will work (as long as kinit can find a KDC for EXAMPLE.COM and user@EXAMPLE.COM is know to the KDC).
If you set default_realm = MY_REALM.COM
kinit user
will try to get a ticket for user@MY_REALM.COM while
kinit user@EXAMPLE.COM
will still try to get a ticket for user@EXAMPLE.COM.
Yes, this is what I would expect but when I login(over LXDM) with only user name I get a ticket for whatever domain which is listed first in domains = REALM1,REALM2
sssd does not use realms for option "domains"
realm is usually uppercase. sssd can use any string there but we usually recomment dns domain name for IPA and AD which is usually lowercase.
This is a reason why sssd has an option krb5_realm(man sssd-krb5)
not the default realm krb5.conf: default_realm = REALM2
sssd does not know the value of krb5_realm in krb5.conf
LS
On Tue, 2016-08-23 at 16:26 +0200, Lukas Slebodnik wrote:
On (23/08/16 14:15), Joakim Tjernlund wrote:
On Tue, 2016-08-23 at 15:56 +0200, Sumit Bose wrote:
On Mon, Aug 22, 2016 at 09:00:34AM +0000, Joakim Tjernlund wrote:
I changed the default REALM in krb5.conf but that did not have any effect on logins. I had to change the order of domains = in sssd.conf for logins to switch over to the new default domain. Should not sssd respect default_realm = xx in krb5.conf? Using sssd 1.13.4
no, default_realm is an option for libkrb5 which is used in the case when no realm is available. E.g. if default_realm is not set
kinit user
will fail while
kinit user@EXAMPLE.COM
will work (as long as kinit can find a KDC for EXAMPLE.COM and user@EXAMPLE.COM is know to the KDC).
If you set default_realm = MY_REALM.COM
kinit user
will try to get a ticket for user@MY_REALM.COM while
kinit user@EXAMPLE.COM
will still try to get a ticket for user@EXAMPLE.COM.
Yes, this is what I would expect but when I login(over LXDM) with only user name I get a ticket for whatever domain which is listed first in domains = REALM1,REALM2
sssd does not use realms for option "domains"
realm is usually uppercase. sssd can use any string there but we usually recomment dns domain name for IPA and AD which is usually lowercase.
That was a typo on my part(directly from memory ... getting old :) I have domains = transmode.se, infinera.com Now transmode.se is default and if I switch to domains = infinera.com, transmode.se Then infinera.com is default
This is a reason why sssd has an option krb5_realm(man sssd-krb5)
Yes, I have that one too, one for each domain
not the default realm krb5.conf: default_realm = REALM2
sssd does not know the value of krb5_realm in krb5.conf
So it seems which is confusing, why will not sssd listen to default_realm ?
LS _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
On (23/08/16 14:48), Joakim Tjernlund wrote:
On Tue, 2016-08-23 at 16:26 +0200, Lukas Slebodnik wrote:
On (23/08/16 14:15), Joakim Tjernlund wrote:
On Tue, 2016-08-23 at 15:56 +0200, Sumit Bose wrote:
On Mon, Aug 22, 2016 at 09:00:34AM +0000, Joakim Tjernlund wrote:
I changed the default REALM in krb5.conf but that did not have any effect on logins. I had to change the order of domains = in sssd.conf for logins to switch over to the new default domain. Should not sssd respect default_realm = xx in krb5.conf? Using sssd 1.13.4
no, default_realm is an option for libkrb5 which is used in the case when no realm is available. E.g. if default_realm is not set
kinit user
will fail while
kinit user@EXAMPLE.COM
will work (as long as kinit can find a KDC for EXAMPLE.COM and user@EXAMPLE.COM is know to the KDC).
If you set default_realm = MY_REALM.COM
kinit user
will try to get a ticket for user@MY_REALM.COM while
kinit user@EXAMPLE.COM
will still try to get a ticket for user@EXAMPLE.COM.
Yes, this is what I would expect but when I login(over LXDM) with only user name I get a ticket for whatever domain which is listed first in domains = REALM1,REALM2
I though a little bit and I do not understand what do you want to achieve? The behaviour which you described here is expected.
user@transmode.se and user@infinera.com are two different users for sssd.
sssd does not use realms for option "domains"
realm is usually uppercase. sssd can use any string there but we usually recomment dns domain name for IPA and AD which is usually lowercase.
That was a typo on my part(directly from memory ... getting old :) I have domains = transmode.se, infinera.com Now transmode.se is default and if I switch to domains = infinera.com, transmode.se Then infinera.com is default
This is a reason why sssd has an option krb5_realm(man sssd-krb5)
Yes, I have that one too, one for each domain
not the default realm krb5.conf: default_realm = REALM2
sssd does not know the value of krb5_realm in krb5.conf
So it seems which is confusing, why will not sssd listen to default_realm ?
maybe you did not get a message from previous mail. domains in sssd.conf cam be anything(default,test,LDAP ...). man sssd.conf says: domains A domain is a database containing user information. SSSD can use more domains at the same time, but at least one must be configured or SSSD won't start. This parameter described the list of domains in the order you want them to be queried. A domain name should only consist of alphanumeric ASCII characters, dashes, dots and underscores.
It is just a convenience to use dns domain name for IPA and AD.
That's the reason why sssd does not know anything about default_realm. It is a totally different option in different configuration file.
LS
On Tue, 2016-08-23 at 16:58 +0200, Lukas Slebodnik wrote:
On (23/08/16 14:48), Joakim Tjernlund wrote:
On Tue, 2016-08-23 at 16:26 +0200, Lukas Slebodnik wrote:
On (23/08/16 14:15), Joakim Tjernlund wrote:
On Tue, 2016-08-23 at 15:56 +0200, Sumit Bose wrote:
On Mon, Aug 22, 2016 at 09:00:34AM +0000, Joakim Tjernlund wrote:
I changed the default REALM in krb5.conf but that did not have any effect on logins. I had to change the order of domains = in sssd.conf for logins to switch over to the new default domain. Should not sssd respect default_realm = xx in krb5.conf? Using sssd 1.13.4
no, default_realm is an option for libkrb5 which is used in the case when no realm is available. E.g. if default_realm is not set
kinit user
will fail while
kinit user@EXAMPLE.COM
will work (as long as kinit can find a KDC for EXAMPLE.COM and user@EXAMPLE.COM is know to the KDC).
If you set default_realm = MY_REALM.COM
kinit user
will try to get a ticket for user@MY_REALM.COM while
kinit user@EXAMPLE.COM
will still try to get a ticket for user@EXAMPLE.COM.
Yes, this is what I would expect but when I login(over LXDM) with only user name I get a ticket for whatever domain which is listed first in domains = REALM1,REALM2
I though a little bit and I do not understand what do you want to achieve? The behaviour which you described here is expected.
user@transmode.se and user@infinera.com are two different users for sssd.
sssd does not use realms for option "domains"
realm is usually uppercase. sssd can use any string there but we usually recomment dns domain name for IPA and AD which is usually lowercase.
That was a typo on my part(directly from memory ... getting old :) I have domains = transmode.se, infinera.com Now transmode.se is default and if I switch to domains = infinera.com, transmode.se Then infinera.com is default
This is a reason why sssd has an option krb5_realm(man sssd-krb5)
Yes, I have that one too, one for each domain
not the default realm krb5.conf: default_realm = REALM2
sssd does not know the value of krb5_realm in krb5.conf
So it seems which is confusing, why will not sssd listen to default_realm ?
maybe you did not get a message from previous mail.
Obviously ...
domains in sssd.conf cam be anything(default,test,LDAP ...). man sssd.conf says: domains A domain is a database containing user information. SSSD can use more domains at the same time, but at least one must be configured or SSSD won't start. This parameter described the list of domains in the order you want them to be queried. A domain name should only consist of alphanumeric ASCII characters, dashes, dots and underscores.
It is just a convenience to use dns domain name for IPA and AD.
That's the reason why sssd does not know anything about default_realm. It is a totally different option in different configuration file.
Got it! Thanks
Jocke
On Tue, Aug 23, 2016 at 02:48:07PM +0000, Joakim Tjernlund wrote:
On Tue, 2016-08-23 at 16:26 +0200, Lukas Slebodnik wrote:
On (23/08/16 14:15), Joakim Tjernlund wrote:
On Tue, 2016-08-23 at 15:56 +0200, Sumit Bose wrote:
On Mon, Aug 22, 2016 at 09:00:34AM +0000, Joakim Tjernlund wrote:
I changed the default REALM in krb5.conf but that did not have any effect on logins. I had to change the order of domains = in sssd.conf for logins to switch over to the new default domain. Should not sssd respect default_realm = xx in krb5.conf? Using sssd 1.13.4
no, default_realm is an option for libkrb5 which is used in the case when no realm is available. E.g. if default_realm is not set
kinit user
will fail while
kinit user@EXAMPLE.COM
will work (as long as kinit can find a KDC for EXAMPLE.COM and user@EXAMPLE.COM is know to the KDC).
If you set default_realm = MY_REALM.COM
kinit user
will try to get a ticket for user@MY_REALM.COM while
kinit user@EXAMPLE.COM
will still try to get a ticket for user@EXAMPLE.COM.
Yes, this is what I would expect but when I login(over LXDM) with only user name I get a ticket for whatever domain which is listed first in domains = REALM1,REALM2
sssd does not use realms for option "domains"
realm is usually uppercase. sssd can use any string there but we usually recomment dns domain name for IPA and AD which is usually lowercase.
That was a typo on my part(directly from memory ... getting old :) I have domains = transmode.se, infinera.com Now transmode.se is default and if I switch to domains = infinera.com, transmode.se Then infinera.com is default
This is a reason why sssd has an option krb5_realm(man sssd-krb5)
Yes, I have that one too, one for each domain
not the default realm krb5.conf: default_realm = REALM2
sssd does not know the value of krb5_realm in krb5.conf
So it seems which is confusing, why will not sssd listen to default_realm ?
Because looking up a user is not related to Kerberos. When you enter a user name in the LXDM prompt LXDM will first check if a user with that name or name alias will exist on the system by calling getpwnam() with the entered name. If it will find the user it will start authentication the user. But all the user lookup is completely unrelated to Kerberos and hence does not care about the default_realm setting in /etc/krb5.conf.
HTH
bye, Sumit
LS _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
sssd-users@lists.fedorahosted.org
-
Joakim Tjernlund -
Lukas Slebodnik -
Sumit Bose