We have multiple linux servers configured with SSSD/realmd for authentication
to Active Directory. The systems are configured without winbind so using
Kerberos to authenticate to the domain. Once SMBv1 was disabled on the domain
controller none of the machines could authenticate users. Any idea on why this
would happen when we should be configured for kerberos authentication?
**** /etc/sssd/sssd.conf ****
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
shell_fallback = /bin/bash
fallback_homedir = /home/%u
[pam]
reconnection_retries = 3
[sssd]
domains = internal.example.domain
config_file_version = 2
services = nss, pam, ifp
[domain/internal.example.domain]
id_provider = ad
auth_provider = ad
access_provider = ad
chpass_provider = ad
dyndns_update = False
ad_domain = internal.example.domain
krb5_realm = INTERNAL.EXAMPLE.DOMAIN
realmd_tags = manages-system joined-with-adcli
cache_credentials = False
krb5_store_password_if_offline = False
ldap_id_mapping = True
use_fully_qualified_names = False
ldap_user_home_directory = unixHomeDirectory
ldap_user_shell = loginShell
entry_cache_timeout = 0
ad_enable_gc = False
**** /etc/krb5.conf ****
[libdefaults]
default_realm = INTERNAL.EXAMPLE.DOMAIN
**** realm list ****
% sudo realm list
internal.example.domain
type: kerberos
realm-name: INTERNAL.EXAMPLE.DOMAIN
domain-name: internal.example.domain
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: sssd-tools
required-package: sssd
required-package: libnss-sss
required-package: libpam-sss
required-package: adcli
required-package: samba-common-bin
login-formats: %U
login-policy: allow-realm-logins
--
Brenden
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
