Jacub, yes we do have a one way trust between AD->FreeIPA. That explainswhy
krb5.conf is used instead of the sssd.conf _srv_ to retrieve DNS records.
Can you also please comment on why I'm only getting lookups on the first two
kdc's listed in krb5.conf
thank you so much and I'm bookmarking your blog.
Date: Thu, 27 Jul 2017 10:01:11 +0200
From: Jakub Hrozek <jhro...@redhat.com>
Subject: [Freeipa-users] Re: Krb5.conf only sees first two kdc servers
Content-Type: text/plain; charset=iso-8859-1
On Thu, Jul 27, 2017 at 02:15:33AM +0000, Michael Papet via FreeIPA-users wrote:
> >If the _srv_ is enabled then am i correct in assuming that we wouldn't even
> >need kdc= records in krb5.conf ??>I tried removing kdc= linesand was unable
> >to authenticate.
> In my experience, sssd relies upon the local kerberos stack. Maybe others
> have different experiences.
This really depends on what domain the user is authenticating from.
If the user comes from the joined domain, then currently sssd resolves
the KDC on its own and puts the address of the KDC server into the list
of KDC addresses known by libkrb5 via a locator plugin:
But for users from trusted domains (typically when talking about IPA-AD
trusts), this is currently not done and sssd just calls a kinit
equivalent and pretty much relies on what is already configured in
FreeIPA-users mailing list -- email@example.com
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org