On Tue, 2016-08-23 at 16:26 +0200, Lukas Slebodnik wrote: > On (23/08/16 14:15), Joakim Tjernlund wrote: > > > > On Tue, 2016-08-23 at 15:56 +0200, Sumit Bose wrote: > > > > > > On Mon, Aug 22, 2016 at 09:00:34AM +0000, Joakim Tjernlund wrote: > > > > > > > > > > > > I changed the default REALM in krb5.conf but that did not have any > > > > effect on logins. > > > > I had to change the order of domains = in sssd.conf for logins to > > > > switch over to the > > > > new default domain. Should not sssd respect default_realm = xx in > > > > krb5.conf? > > > > Using sssd 1.13.4 > > > > > > no, default_realm is an option for libkrb5 which is used in the case > > > when no realm is available. E.g. if default_realm is not set > > > > > > kinit user > > > > > > will fail while > > > > > > kinit [email protected] > > > > > > will work (as long as kinit can find a KDC for EXAMPLE.COM and > > > [email protected] is know to the KDC). > > > > > > If you set default_realm = MY_REALM.COM > > > > > > kinit user > > > > > > will try to get a ticket for user@MY_REALM.COM while > > > > > > kinit [email protected] > > > > > > will still try to get a ticket for [email protected]. > > > > Yes, this is what I would expect but when I login(over LXDM) with only user > > name I get > > a ticket for whatever domain which is listed first in > > domains = REALM1,REALM2 > sssd does not use realms for option "domains" > > realm is usually uppercase. sssd can use any string there > but we usually recomment dns domain name for IPA and AD > which is usually lowercase.
That was a typo on my part(directly from memory ... getting old :) I have domains = transmode.se, infinera.com Now transmode.se is default and if I switch to domains = infinera.com, transmode.se Then infinera.com is default > This is a reason why sssd has an option krb5_realm(man sssd-krb5) Yes, I have that one too, one for each domain > > > > > not the default realm krb5.conf: > > default_realm = REALM2 > > sssd does not know the value of krb5_realm in krb5.conf So it seems which is confusing, why will not sssd listen to default_realm ? > > LS > _______________________________________________ > sssd-users mailing list > [email protected] > https://lists.fedorahosted.org/admin/lists/[email protected] _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/admin/lists/[email protected]
