URL: https://github.com/SSSD/sssd/pull/555
Author: jhrozek
Title: #555: MAN: Document which principal does the AD provider use
Action: opened
PR body:
"""
Administrators are often confused by the difference between what principal
is used to authenticate to AD. Let's document that.
"""
To pull the PR as Git branch:
git remote add ghsssd https://github.com/SSSD/sssd
git fetch ghsssd pull/555/head:pr555
git checkout pr555
From 93ae24829f11d0cddd023f773abe7aa541a72334 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhro...@redhat.com>
Date: Thu, 19 Apr 2018 09:38:47 +0200
Subject: [PATCH] MAN: Document which principal does the AD provider use
Administrators are often confused by the difference between what
principal is used to authenticate to AD. Let's document that.
---
src/man/include/ad_modified_defaults.xml | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/src/man/include/ad_modified_defaults.xml b/src/man/include/ad_modified_defaults.xml
index c41b454f8..818a2bf78 100644
--- a/src/man/include/ad_modified_defaults.xml
+++ b/src/man/include/ad_modified_defaults.xml
@@ -58,6 +58,22 @@
ldap_use_tokengroups = true
</para>
</listitem>
+ <listitem>
+ <para>
+ ldap_sasl_authid = sAMAccountName@REALM (typically SHORTNAME$@REALM)
+ </para>
+ <para>
+ The AD provider looks for a different principal than the
+ LDAP provider by default, because in an Active Directory
+ environment the principals are divided into two groups
+ - User Principals and Service Principals. Only User
+ Principal can be used to obtain a TGT and by default,
+ computer object's principal is constructed from
+ its sAMAccountName and the AD realm. The well-known
+ host/hostname@REALM principal is a Service Principal
+ and thus cannot be used to get a TGT with.
+ </para>
+ </listitem>
</itemizedlist>
</refsect2>
</refsect1>
_______________________________________________
sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org
To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org
