On (22/02/20 09:52), Spike White wrote: >All, > >When I was first crafting my sssd.conf file, I very much attempted to make >all my sssd domains upper-case. Because in my (naive) view, an AD domain >is just a Kerberos realm (+ LDAP + nice admin screens). > >As you know, Kerberos is very much case-sensitive. (Technically, AD is >not. but the convention in the /etc/krb5.conf file is to always put >Kerberos realms in upper case). > >Back to sssd. > >When sssd auto-discovered the other parent and child domains, it discovered >them in lower case. I was left with a mix of upper and lower-case sssd >domains. Even worse, the one local AD domain showed up twice. Once in >upper-case (explicitly defined in sssd.conf) and once in lower-case >(auto-discovered). > >Eventually, I gave up and went with the (apparently recommended sssd) >convention of lower-case sssd domain names. In the domain definition, I >list the krb5_realm in upper case: > > [domain/amer.example.com] > ... > krb5_realm = AMER.EXAMPLE.COM > >This is extremely unimportant (lower case works). But is there an option >to auto-discover sssd domains in upper case? >
SSSD domain is not the same as kerberos realm name. Usually, tools like ipa-client-install and realmd generate lower-case version of krb5 realm because it is simpler :-) But you could use any name for sssd. e.g. [domain/at_work] ... krb5_realm = AMER.EXAMPLE.COM [domain/at_fedora] ... krb5_realm = FEDORAPROJECT.ORG [domain/home] ... krb5_realm = MYAD.TEST.NET User "johny@at_work" will get a krb5 ticket with principal [email protected] Some domains (usually AD) have enabled option "case_sensitive = true" in domain section (by default with id_provider ad) Therefore getent passwd johny@at_work and johny@AT_WORK will return the same ID. But getent passwd [email protected] will not return anything because such sssd domain does not exist :-) And vice versa, kinit [email protected] will work but kinit johny@AT_WORK will not work. HTH LS _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
