Hey list, I have joined a CentOS 7 host to an AD domain using a fairly new version of adcli (one of the versions that has this [0] bug fixed). In its keytab, this host has a service principal of the form 'host/fqdn@REALM' (i.e. lowercase). User lookups with SSSD don't work, and the SSSD log says "Client 'host/fdqn@REALM' not found in Kerberos database. Unable to create GSSAPI-encrypted LDAP connection."
However, if I use the 'old' adcli to join the node and create the keytab, it creates a service principal of the form 'HOST/fqdn@REALM'. With this keytab, I can do username lookups just fine. Should this be considered a bug? Is there a way to make service principal lookups w/SSSD case insensitive? I would like to keep the lower-case principal names in my keytabs, because OpenSSH GSSAPI auth only works with those. Thanks for any pointers! Best, Patrice [0] https://bugs.freedesktop.org/show_bug.cgi?id=84749 _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/admin/lists/[email protected]
