Thanks Justin, very prescient. 😊 After looking through the logs it looks like we have a subdomain(?) or possibly our root domain(?) that is being automatically discovered which is causing a search for the host key and possibly is presenting some domain confusion as it is trying to request a TGT for that domain, but since the host is not joined to that domain the default host key is not working.
I have added the ad_enabled_domains to set the specific domain we are joined to and that seems to work OK and I can log in via password now. Aparently SSSD 2.X is much better at discovering domains than 1.16. Thanks again for your help, much appreciated! -nik > -----Original Message----- > From: Justin Stephenson <[email protected]> > Sent: Tuesday, February 23, 2021 3:04 PM > To: End-user discussions about the System Security Services Daemon <sssd- > [email protected]> > Subject: [SSSD-users] Re: SSSD-AD Password auth at 2.3 level (CentOS 8)? > > Hi, > > You are right, the question is why does a second ldap child get forked > - the /var/log/sssd/domain_$domain.log should give some clues. As a guess > you may need to set `ad_enabled_domains = domain.bu.edu' in sssd.conf to > disable auto discovery of trusted domains. If this doesn't help please send > me the sanitized domain log directly and I can take a look. > > -Justin > _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
