On Thu, Jul 27, 2017 at 02:15:33AM +0000, Michael Papet via FreeIPA-users wrote:
> >If the _srv_ is enabled then am i correct in assuming that we wouldn't even 
> >need kdc= records in krb5.conf ??>I tried removing kdc= linesand was unable 
> >to authenticate.
> In my experience, sssd relies upon the local kerberos stack.  Maybe others 
> have different experiences.
> mpapet

This really depends on what domain the user is authenticating from.

If the user comes from the joined domain, then currently sssd resolves
the KDC on its own and puts the address of the KDC server into the list
of KDC addresses known by libkrb5 via a locator plugin:
    
https://jhrozek.wordpress.com/2014/11/04/how-does-sssd-interact-with-tools-like-kinit/

But for users from trusted domains (typically when talking about IPA-AD
trusts), this is currently not done and sssd just calls a kinit
equivalent and pretty much relies on what is already configured in
krb5.conf.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to