> On Mon, Feb 22, 2016 at 08:04:42PM -0000, Patrice Peterson wrote: > > Please note that the principal you give with the --user-principal option > is not a SPN (service principal name) but a UPN (user principal names). > Only UPNs can be used to get a Kerberos TGT, i.e. can be used with > kinit. > > As you can see form the logs SSSD tries to use host/fqdn(a)XD.UNI-HALLE.DE > to get a TGT. Since AD handles principal case-insensitive > HOST/fqdn(a)XD.UNI-HALLE.DE will work as well as long as it is defined as > UPN (I would expect that it will work the same if you use > '--user-principal=host/fqdn@REALM'.
Yes, I just tried that and you were right. My mental model of host authentication was apparently completely wrong—I knew computers were basically "users" in AD, but I didn't apply this knowledge to this situation… > In general the default UPN is NetBIOSName$@REALM and SSSD will use it if > a matching entry is in the keytab. But there are some restrictions to > the NetBIOS name, e.g. only 15 characters are allowed and only a few > special characters. Do you have and entry '...$@REALM' in the keytab? > Does the name before the $ match the first part of the fully qualified > host name of the client or is it truncated or special characters > removed? I do have 'Netbiosname$@REALM', but I had to make it different from the first part of the FQDN (i.e. it is 'HPC-login001' while the first part of the FQDN is 'login001', without the 'HPC'). I didn't even know that this could be a problem, so thanks again for putting me on the right path! > If you have a '...$@REALM' entry in the keytab which differs somehow > from the hostname you can try to add this principal to sssd.conf with > > ldap_sasl_authid = NetBIOSName$@REALM > > where NetBIOSName$@REALM matches the entry in the keytab to tell SSSD to > use this principal for kinit. That did the trick! However, I still don't understand why setting this is necessary: Shouldn't SSSD 'see' that the account ending with '$@REALM' is the only computer account in the keytab and use it for obtaining a TGT? I know that MS requires the first part of the FQDN to be equal to the NETBIOS name [0], but it still seems weird to me that SSSD apparently doesn't infer the NETBIOS name automatically. In any case, thanks for your explanations! This thread has definitely improved my understanding so far. -Patrice [0] https://msdn.microsoft.com/en-us/library/cc246064.aspx _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/admin/lists/[email protected]
