On Fri, 2012-12-14 at 15:42 +0000, Sven Geggus wrote: > Hello, > > I'm trying to convert an existing nslcd/pam_krb5 based setup authenticationg > against Active Direcctory to sssd/pam_sss. > > I already succeeded in doing so as far as the nss-side of things is > concerned. > > Not so with pam_sss.so (pam_krb5.so works fine) because of the following > reason: > > When constructing a realm for authentication sssd seems to check for the > ldap attribute specified as ldap_user_principal in sssd.conf. Later on a > kerberos ticket is requested for the string found there. > > What I have in sssd.conf is the following (as found in various howtos > araount the web): > ldap_user_principal = userPrincipalName > > And this is why I get in trouble! > > In my case userPrincipalName does contain an email address (user@dn) with a > domain part _different_ to the kerberos realm. > > Thus I end up having sssd trying to request a kerberos ticket for user@DN > which will of course not work, because "DN" is not a valid kerberos realm. > > I tried to reproduce this using kinit with varions Versions of this ldap > atrribute. > > Neither one of the following works: > kinit user@dn > kinit user@DN > kinit user@dn@REALM > > Only "user@REALM" and "user" work. > > Thus I changed ldap_user_principal ins sssd.conf to the following: > ldap_user_principal = sAMAccountName > > This does seem to work now, but I would rather like to switch back to > userPrincipalName again. > > On windows it is possible to login either way: Using user@dn from > userPrincipalName as well as the value from sAMAccountName. > > Any Idea
It's a limitation we currently have in sssd I am afraid. Please open a ticket and we'll asses how soon we can address the issue. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
