Jacub, yes we do have a one way trust between AD->FreeIPA. That explainswhy krb5.conf is used instead of the sssd.conf _srv_ to retrieve DNS records. Can you also please comment on why I'm only getting lookups on the first two kdc's listed in krb5.conf thank you so much and I'm bookmarking your blog.
Date: Thu, 27 Jul 2017 10:01:11 +0200 From: Jakub Hrozek <jhro...@redhat.com> Subject: [Freeipa-users] Re: Krb5.conf only sees first two kdc servers To: email@example.com Message-ID: <20170727080111.ekj3mqbuilkrlxpa@hendrix> Content-Type: text/plain; charset=iso-8859-1 On Thu, Jul 27, 2017 at 02:15:33AM +0000, Michael Papet via FreeIPA-users wrote: > >If the _srv_ is enabled then am i correct in assuming that we wouldn't even > >need kdc= records in krb5.conf ??>I tried removing kdc= linesand was unable > >to authenticate. > In my experience, sssd relies upon the local kerberos stack. Maybe others > have different experiences. > mpapet This really depends on what domain the user is authenticating from. If the user comes from the joined domain, then currently sssd resolves the KDC on its own and puts the address of the KDC server into the list of KDC addresses known by libkrb5 via a locator plugin: https://jhrozek.wordpress.com/2014/11/04/how-does-sssd-interact-with-tools-like-kinit/ But for users from trusted domains (typically when talking about IPA-AD trusts), this is currently not done and sssd just calls a kinit equivalent and pretty much relies on what is already configured in krb5.conf.
_______________________________________________ FreeIPA-users mailing list -- firstname.lastname@example.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org