On (23/08/16 14:15), Joakim Tjernlund wrote: >On Tue, 2016-08-23 at 15:56 +0200, Sumit Bose wrote: >> On Mon, Aug 22, 2016 at 09:00:34AM +0000, Joakim Tjernlund wrote: >> > >> > I changed the default REALM in krb5.conf but that did not have any effect >> > on logins. >> > I had to change the order of domains = in sssd.conf for logins to switch >> > over to the >> > new default domain. Should not sssd respect default_realm = xx in >> > krb5.conf? >> > Using sssd 1.13.4 >> >> no, default_realm is an option for libkrb5 which is used in the case >> when no realm is available. E.g. if default_realm is not set >> >> kinit user >> >> will fail while >> >> kinit [email protected] >> >> will work (as long as kinit can find a KDC for EXAMPLE.COM and >> [email protected] is know to the KDC). >> >> If you set default_realm = MY_REALM.COM >> >> kinit user >> >> will try to get a ticket for user@MY_REALM.COM while >> >> kinit [email protected] >> >> will still try to get a ticket for [email protected]. > >Yes, this is what I would expect but when I login(over LXDM) with only user >name I get >a ticket for whatever domain which is listed first in > domains = REALM1,REALM2 sssd does not use realms for option "domains"
realm is usually uppercase. sssd can use any string there but we usually recomment dns domain name for IPA and AD which is usually lowercase. This is a reason why sssd has an option krb5_realm(man sssd-krb5) >not the default realm krb5.conf: > default_realm = REALM2 sssd does not know the value of krb5_realm in krb5.conf LS _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/admin/lists/[email protected]
