On Tue, 2016-08-23 at 16:58 +0200, Lukas Slebodnik wrote: > On (23/08/16 14:48), Joakim Tjernlund wrote: > > > > On Tue, 2016-08-23 at 16:26 +0200, Lukas Slebodnik wrote: > > > > > > On (23/08/16 14:15), Joakim Tjernlund wrote: > > > > > > > > > > > > On Tue, 2016-08-23 at 15:56 +0200, Sumit Bose wrote: > > > > > > > > > > > > > > > On Mon, Aug 22, 2016 at 09:00:34AM +0000, Joakim Tjernlund wrote: > > > > > > > > > > > > > > > > > > > > > > > > I changed the default REALM in krb5.conf but that did not have any > > > > > > effect on logins. > > > > > > I had to change the order of domains = in sssd.conf for logins to > > > > > > switch over to the > > > > > > new default domain. Should not sssd respect default_realm = xx in > > > > > > krb5.conf? > > > > > > Using sssd 1.13.4 > > > > > > > > > > no, default_realm is an option for libkrb5 which is used in the case > > > > > when no realm is available. E.g. if default_realm is not set > > > > > > > > > > kinit user > > > > > > > > > > will fail while > > > > > > > > > > kinit [email protected] > > > > > > > > > > will work (as long as kinit can find a KDC for EXAMPLE.COM and > > > > > [email protected] is know to the KDC). > > > > > > > > > > If you set default_realm = MY_REALM.COM > > > > > > > > > > kinit user > > > > > > > > > > will try to get a ticket for user@MY_REALM.COM while > > > > > > > > > > kinit [email protected] > > > > > > > > > > will still try to get a ticket for [email protected]. > > > > > > > > Yes, this is what I would expect but when I login(over LXDM) with only > > > > user name I get > > > > a ticket for whatever domain which is listed first in > > > > domains = REALM1,REALM2 > I though a little bit and I do not understand what do you want to achieve? > The behaviour which you described here is expected. > > [email protected] and [email protected] are two different users for sssd. > > > > > > > > > sssd does not use realms for option "domains" > > > > > > realm is usually uppercase. sssd can use any string there > > > but we usually recomment dns domain name for IPA and AD > > > which is usually lowercase. > > > > That was a typo on my part(directly from memory ... getting old :) > > I have > > domains = transmode.se, infinera.com > > Now transmode.se is default and if I switch to > > domains = infinera.com, transmode.se > > Then infinera.com is default > > > > > > > > This is a reason why sssd has an option krb5_realm(man sssd-krb5) > > > > Yes, I have that one too, one for each domain > > > > > > > > > > > > > > > > > > > > not the default realm krb5.conf: > > > > default_realm = REALM2 > > > > > > sssd does not know the value of krb5_realm in krb5.conf > > > > So it seems which is confusing, why will not sssd listen to default_realm ? > > > maybe you did not get a message from previous mail.
Obviously ... > domains in sssd.conf cam be anything(default,test,LDAP ...). > man sssd.conf says: > domains > A domain is a database containing user information. SSSD can use > more domains at the same time, but at least one must be configured > or SSSD won't start. This parameter described the list of domains > in the order you want them to be queried. A domain name should only > consist of alphanumeric ASCII characters, dashes, dots and > underscores. > > It is just a convenience to use dns domain name for IPA and AD. > > That's the reason why sssd does not know anything about default_realm. > It is a totally different option in different configuration file. Got it! Thanks Jocke _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/admin/lists/[email protected]
