On Thu, Nov 20, 2014 at 06:09:42PM +0100, Joschi Brauchle wrote:
> Hello,
>
> We have a linux machine with a hostname that is longer than 19 characters.
> AFAIK the SamAccountName attribute in AD is limited to at most 20 characters
> (inkl. trailing $). I.e. the usable characters is at most 19.
>
> In many AD docs it is stated that a Windows hostname should not exceed 15
> characters for backward compatibility, but we do not really care about that.
>
> Could you comment on how does SSSD pick the principal / username name to use
> for kerberos / ldap authentication / reading the keytab / and so on in the
> case of the hostname being longer than 19 characters?
>
> I could not find anything in the docs of sssd-ad about this.
>
> Will it use
> 1) UNRESTRICTED_VERY_LONG_HOSTNAME$
This one. In general, SSSD matches principals in this order:
hostname@REALM
SHORT_HOSTNAME$@REALM
host/hostname@REALM
*$@REALM
host/*@REALM
host/*@*
If none of the above match, we pick the first principal. The asterisk
acts a wildcard.
> 2) 19_CHARACTERS_HOSTNAME$
> 3) 15_CHAR_HOSTNAME$
> ?
>
> Thanks for clarifying. It will help us deciding on how to proceed with hosts
> with long host names.
The safest approach is to manually set ldap_sasl_authid to the right
principal.
_______________________________________________
sssd-users mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
