On Tue, 2018-04-24 at 12:52 +0200, Sumit Bose wrote: > > On Tue, Apr 24, 2018 at 10:33:04AM +0000, Joakim Tjernlund wrote: > > On Tue, 2018-04-24 at 11:19 +0100, John Hodrien wrote: > > > CAUTION: This email originated from outside of the organization. Do not > > > click links or open attachments unless you recognize the sender and know > > > the content is safe. > > > > > > > > > On Tue, 24 Apr 2018, Joakim Tjernlund wrote: > > > > > > > It seems like a missing keytab file prevents any login in a AD connected > > > > sssd. Does it need to be so? > > > > > > > > I have a vague memory from the past that a missing/invalid keytab file > > > > only prevented SSO but allowed login using your password ? > > > > > > Presumably you can make it work without needing a keytab if you use ldap > > > as an > > > auth provider.
Actually, this might have been the case long ago but cannot say for sure. > > > > > > If you're using AD, you're using kerberos and ldap. If you're using > > > kerberos, > > > you need to be able to validate the KDC. How would you plan on doing > > > that? > > > > I remember being able to login using pw when have a keytab but invalid > > kvno in the keytab. Is this case any different from not having a keytab at > > all? > > The AD LDAP service requires authentication and by default the keytab > created while joining the AD domain is used by SSSD's AD provider to > authenticate against AD to be able to lookup user, groups and other > data. > > For user authentication the keytab is used to validate the Kerberos > ticket returned by the AD DC. > > If SSSD is in offline state only cached data is used, in this case the > keytab is not needed. > > If you add the needed parameters to sssd.conf to use a simple LDAP bind > for authentication and disable ticket validation you do not need a valid > keytab. But I would recommend to just make sure a valid keytab is > available. Yes, but every now and then joining the domain or loosing the keytab during computer upgrade happens and then no one can login other than local root and that is impractical. Can one combine simple LDAP bind with xxx_provider=ad ? Jocke > > HTH > > bye, > Sumit > _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
