On Mon, Feb 22, 2016 at 09:41:47AM +0000, John Hodrien wrote: > On Mon, 22 Feb 2016, Patrice Peterson wrote: > > >Hey list, > > > >I have joined a CentOS 7 host to an AD domain using a fairly new version of > >adcli (one of the versions that has this [0] bug fixed). In its keytab, this > >host has a service principal of the form 'host/fqdn@REALM' (i.e. lowercase). > >User lookups with SSSD don't work, and the SSSD log says "Client > >'host/fdqn@REALM' not found in Kerberos database. Unable to create > >GSSAPI-encrypted LDAP connection." > > > >However, if I use the 'old' adcli to join the node and create the keytab, it > >creates a service principal of the form 'HOST/fqdn@REALM'. With this keytab, > >I can do username lookups just fine. > > > >Should this be considered a bug? Is there a way to make service principal > >lookups w/SSSD case insensitive? I would like to keep the lower-case > >principal names in my keytabs, because OpenSSH GSSAPI auth only works with > >those. > > > >Thanks for any pointers! > > SSSD with a normal AD joined machine would use the SHORTHOST$@REALM entry, not > any of the others. That one's the only one that's a userPrincipal by default > (although you can choose *one* additional userPrincipal if you require). > > You can test this on the command line as it's the only one kinit -k will work > with: > > # These work > kinit -k SHORTHOST$ kinit -k SHORTHOST$\@DS.LEEDS.AC.UK > > # These do not work > kinit -k host/fqdn > kinit -k host/fqdn\@DS.LEEDS.AC.UK > > So I'm not entirely sold on your diagnosis being correct.
I agree with John here. Can you share your sssd.conf? bye, Sumit > > jh > _______________________________________________ > sssd-users mailing list > [email protected] > https://lists.fedorahosted.org/admin/lists/[email protected] _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/admin/lists/[email protected]
