On Tue, Apr 24, 2018 at 11:20:36AM +0000, Joakim Tjernlund wrote: > On Tue, 2018-04-24 at 12:52 +0200, Sumit Bose wrote: > > > > On Tue, Apr 24, 2018 at 10:33:04AM +0000, Joakim Tjernlund wrote: > > > On Tue, 2018-04-24 at 11:19 +0100, John Hodrien wrote: > > > > CAUTION: This email originated from outside of the organization. Do not > > > > click links or open attachments unless you recognize the sender and > > > > know the content is safe. > > > > > > > > > > > > On Tue, 24 Apr 2018, Joakim Tjernlund wrote: > > > > > > > > > It seems like a missing keytab file prevents any login in a AD > > > > > connected > > > > > sssd. Does it need to be so? > > > > > > > > > > I have a vague memory from the past that a missing/invalid keytab file > > > > > only prevented SSO but allowed login using your password ? > > > > > > > > Presumably you can make it work without needing a keytab if you use > > > > ldap as an > > > > auth provider. > > Actually, this might have been the case long ago but cannot say for sure. > > > > > > > > > If you're using AD, you're using kerberos and ldap. If you're using > > > > kerberos, > > > > you need to be able to validate the KDC. How would you plan on doing > > > > that? > > > > > > I remember being able to login using pw when have a keytab but invalid > > > kvno in the keytab. Is this case any different from not having a keytab > > > at all? > > > > The AD LDAP service requires authentication and by default the keytab > > created while joining the AD domain is used by SSSD's AD provider to > > authenticate against AD to be able to lookup user, groups and other > > data. > > > > For user authentication the keytab is used to validate the Kerberos > > ticket returned by the AD DC. > > > > If SSSD is in offline state only cached data is used, in this case the > > keytab is not needed. > > > > If you add the needed parameters to sssd.conf to use a simple LDAP bind > > for authentication and disable ticket validation you do not need a valid > > keytab. But I would recommend to just make sure a valid keytab is > > available. > > Yes, but every now and then joining the domain or loosing the keytab during > computer upgrade > happens and then no one can login other than local root and that is > impractical. > Can one combine simple LDAP bind with xxx_provider=ad ?
For the id provider you have to specify ldap_default_bind_dn and ldap_default_authtok see man sssd-ldap for details. To disable ticket validation in the auth provider you can set 'krb5_validate = False' see man sssd-krb5 for details. But I still would recommend to use the keytab and make sure it does not get lost :-). To make authentication work setting krb5_validate should be sufficient for user which are already in the cache. bye, Sumit > > Jocke > > > > > HTH > > > > bye, > > Sumit > > > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
