[SSSD-users] Re: Is it possible to do substring replacement in ldap home directory in sssd
Thanks for the reply. I agree such multi-level directory structure is meaningless, but it's hard to change the structure in production environment now. Fortunately we finally found an alternative solution, using the %H pattern with homedir_substring option. Anyway, I think sssd should enhance the flexibility of home path modification. The substitution patterns currently provided is too simple to meet some complex path mapping requirement. ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
[SSSD-users] Is it possible to do substring replacement in ldap home directory in sssd
I know sssd has override_homedir option to modify home path getting from ldap, but its substitution pattern is too simple. Condider the case: The user is bob and its group is class1, its home directory from ldap is "/remote/home/class1/bob". Now we want to change the home directory on some specific node to "/local/home/class1/bob". However, sssd's override_homedir only provide %u to represent user name bob, no pattern for group class1. Thus we cannot directly set override_homedir to something like "/local/home/%g/%u". Another modification method is to replace substring remote to local, as if in bash script we can write ${home/remote/local}. override_homedir provide %o to represent origin ldap home path, but is it support sub string replacement? ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Re: [SSSD-users] authenticating against all sub-domains in AD forest
Hi, Thanks for your reply. I was originally using the LDAP as the id_provider but it was suggested I tried the AD id_provider. The nice advantage of the AD id_provider was that the keytab was created automatically. When I used the LDAP provider I had to create it on the AD DC. I'll have another go at the LDAP provider and check I had all domains / subdomains in sssd.conf and krb5.conf. Are you linux clients joined to subdomains rather than the parent domain? Thanks, Matt From: kara...@aselsan.com.tr To: sssd-users@lists.fedorahosted.org Date: Tue, 19 Nov 2013 12:28:46 +0200 Subject: Re: [SSSD-users] authenticating against all sub-domains in AD forest We have similar windows AD forest: company.com (forest root doman) subA.company.com (subdomain) subB.company.com (subdomain) I am using ldap as id_provider: id_provider = ldap if you are using ldap as id_provider you must have 3 domain section in sssd.conf: [sssd] domains = company.com, subA.company.com, subB.company.com ... [domain/company.com] [domain/subA.company.com] ... [domain/subB.company.com] in short: for each domain you have to have domian section. additionaly your krb5.conf file must include all domains. if you are using id_provider = ad, I think only root domain section is sufficent, but I didnt try before. But in any case you have to have 3 domains in krb5.conf I think. Taner KARAGOL u can mail to karagol at gmail for additional information. Date: Mon, 16 Sep 2013 15:22:47 +0200 From: jhro...@redhat.com To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] authenticating against all sub-domains in AD forest On Mon, Sep 16, 2013 at 01:17:22PM +, a t wrote: Hi, I am testing find a standard config for Linux authentication against Active Directory and I am testing with Centos 6. I have decided on a SSSD/Kerberos/LDAP configuration as described in RedHats Integrating Red Hat Enterprise Linux 6 with Active Directory section 6.3. http://www.redhat.com/rhecm/rest-rhecm/jcr/repository/collaboration/jcr:system/jcr:versionStorage/ae40084d0a052601783f1ea42715cdef/26/jcr:frozenNode/rh:resourceFile It works very well but for the one domain in our forest i.e. b.domain.org. However, users of other domains in the forest can not be authenticated. This is understandable as I have pointed all the config files at the child domains DC's, i.e. dc1.b.domain.org rather than dc1.domain.org. I have been searching for example configurations which will authenticate any user in the forest even though the Linux installation is joined to a different child domain but not found any. Scenario I would like to implement; Linux installation hostname = lin1lin1 joined to domain b.domain.orgusers from b.domain.org can login to lin1.b.doamin.orgusers from all child domains of domain.org can log into lin1.b.domain.org. for example a.domain.org, c.domain.org or z.domain.org I have attached my current config files as a reference. They work for a single domain rather than the whole forest. I suppose I am stuck whether to add each AD child domain as separate domains in SSSD and REALMS in kerberos or if I can get it to see the whole forest. Thanks for any help / pointers, Matthew ___ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users ___ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Re: [SSSD-users] authenticating against all sub-domains in AD forest
Hi Jakub, I sent the logs you requested directly to you as you suggested so I didnt need to obfuscate thrm. However, I am not sure you received the email? Thanks, Matthew --- Original Message --- From: Jakub Hrozek jhro...@redhat.com Sent: 1 October 2013 19:44 To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] authenticating against all sub-domains in AD forest On Sun, Sep 29, 2013 at 02:41:11PM +0100, a t wrote: Hi, That user, test.user, is in the subdomain a.domain.org. Thr logs mark domain.org as a subdomain of b.domain.org. however, this is not correct - domain.org is the root domain of which b.domain.org is a subdomain. We do not have users in the root domain. All users are in other subdomains. I believe the user I tested in another subdomain, mhunt.t...@a.domain.org did not show in the logs. When I tried to log in with mhunt.t...@a.domain.org the logs show that sssd believes that domain a is a subdomain if b.domain.org rather than another subdomain of domain.org. I might have to ask if I can send un-obfuscated incase I am adding in confusion! Thanks, Matthew Interesting, I see no fatal erorr in the domain log, then. Could you also paste the tail of /var/log/secure after the auth and also put debug_level directive into the [pam] section as well? If you prefer, you can send the logs directly to me without obfuscation. ___ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users ___ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Re: [SSSD-users] authenticating against all sub-domains in AD forest
Date: Tue, 1 Oct 2013 20:43:54 +0200 From: jhro...@redhat.com To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] authenticating against all sub-domains in AD forest On Sun, Sep 29, 2013 at 02:41:11PM +0100, a t wrote: Hi, That user, test.user, is in the subdomain a.domain.org. Thr logs mark domain.org as a subdomain of b.domain.org. however, this is not correct - domain.org is the root domain of which b.domain.org is a subdomain. We do not have users in the root domain. All users are in other subdomains. I believe the user I tested in another subdomain, mhunt.t...@a.domain.org did not show in the logs. When I tried to log in with mhunt.t...@a.domain.org the logs show that sssd believes that domain a is a subdomain if b.domain.org rather than another subdomain of domain.org. I might have to ask if I can send un-obfuscated incase I am adding in confusion! Thanks, Matthew Interesting, I see no fatal erorr in the domain log, then. Could you also paste the tail of /var/log/secure after the auth and also put debug_level directive into the [pam] section as well? If you prefer, you can send the logs directly to me without obfuscation. ___ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users Hi, I'll send the logs direct, thank you. I have debug_level = 8. Is that Ok or too chatty? Thanks, Matthew ___ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Re: [SSSD-users] authenticating against all sub-domains in AD forest
From: adammtem...@hotmail.com To: sssd-users@lists.fedorahosted.org Date: Thu, 3 Oct 2013 10:37:03 + Subject: Re: [SSSD-users] authenticating against all sub-domains in AD forest Date: Tue, 1 Oct 2013 20:43:54 +0200 From: jhro...@redhat.com To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] authenticating against all sub-domains in AD forest On Sun, Sep 29, 2013 at 02:41:11PM +0100, a t wrote: Hi, That user, test.user, is in the subdomain a.domain.org. Thr logs mark domain.org as a subdomain of b.domain.org. however, this is not correct - domain.org is the root domain of which b.domain.org is a subdomain. We do not have users in the root domain. All users are in other subdomains. I believe the user I tested in another subdomain, mhunt.t...@a.domain.org did not show in the logs. When I tried to log in with mhunt.t...@a.domain.org the logs show that sssd believes that domain a is a subdomain if b.domain.org rather than another subdomain of domain.org. I might have to ask if I can send un-obfuscated incase I am adding in confusion! Thanks, Matthew Interesting, I see no fatal erorr in the domain log, then. Could you also paste the tail of /var/log/secure after the auth and also put debug_level directive into the [pam] section as well? If you prefer, you can send the logs directly to me without obfuscation. ___ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users Jakub Please see the PAM log below; (Thu Oct 3 14:23:50 2013) [sssd[pam]] [server_setup] (0x0400): CONFDB: /var/lib/sss/db/config.ldb (Thu Oct 3 14:23:50 2013) [sssd[pam]] [confdb_get_domain_internal] (0x0400): No enumeration for [B.DOMAIN.ORG]! (Thu Oct 3 14:23:50 2013) [sssd[pam]] [confdb_get_domain_internal] (0x1000): pwd_expiration_warning is -1 (Thu Oct 3 14:23:50 2013) [sssd[pam]] [sbus_init_connection] (0x0400): Adding connection 0x15634e0 (Thu Oct 3 14:23:50 2013) [sssd[pam]] [sbus_add_watch] (0x2000): 0x1563a10/0x155e950 (12), -/W (enabled) (Thu Oct 3 14:23:50 2013) [sssd[pam]] [monitor_common_send_id] (0x0100): Sending ID: (pam,1) (Thu Oct 3 14:23:50 2013) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x155e580 (Thu Oct 3 14:23:50 2013) [sssd[pam]] [sss_names_init_from_args] (0x0100): Using re [(((?Pdomain[^\\]+)\\(?Pname.+$))|((?Pname[^@]+)@(?Pdomain.+$))|(^(?Pname[^@\\]+)$))]. (Thu Oct 3 14:23:50 2013) [sssd[pam]] [sss_fqnames_init] (0x0100): Using fq format [%1$s@%2$s]. (Thu Oct 3 14:23:50 2013) [sssd[pam]] [sss_fqnames_init] (0x0100): Found the pattern for domain name (Thu Oct 3 14:23:50 2013) [sssd[pam]] [sbus_init_connection] (0x0400): Adding connection 0x1562880 (Thu Oct 3 14:23:50 2013) [sssd[pam]] [sbus_add_watch] (0x2000): 0x1565200/0x1562680 (13), -/W (enabled) (Thu Oct 3 14:23:50 2013) [sssd[pam]] [dp_common_send_id] (0x0100): Sending ID to DP: (1,PAM) (Thu Oct 3 14:23:50 2013) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x15656b0 (Thu Oct 3 14:23:50 2013) [sssd[pam]] [sysdb_domain_init_internal] (0x0200): DB File for B.DOMAIN.ORG: /var/lib/sss/db/cache_B.DOMAIN.ORG.ldb (Thu Oct 3 14:23:50 2013) [sssd[pam]] [ldb] (0x0400): asq: Unable to register control with rootdse! (Thu Oct 3 14:23:50 2013) [sssd[pam]] [sss_process_init] (0x0400): Responder Initialization complete (Thu Oct 3 14:23:50 2013) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Thu Oct 3 14:23:50 2013) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)] (Thu Oct 3 14:23:50 2013) [sssd[pam]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/B.DOMAIN.ORG/root] to negative cache permanently (Thu Oct 3 14:23:50 2013) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'root' matched without domain, user is root (Thu Oct 3 14:23:50 2013) [sssd[pam]] [sss_parse_name_for_domains] (0x0200): using default domain [(null)] (Thu Oct 3 14:23:50 2013) [sssd[pam]] [sss_ncache_set_str] (0x0400): Adding [NCE/GROUP/B.DOMAIN.ORG/root] to negative cache permanently (Thu Oct 3 14:23:50 2013) [sssd[pam]] [responder_set_fd_limit] (0x0100): Maximum file descriptors set to [8192] (Thu Oct 3 14:23:50 2013) [sssd[pam]] [sss_dp_issue_request] (0x0400): Issuing request for [0x41b4b0:doma...@b.domain.org] (Thu Oct 3 14:23:50 2013) [sssd[pam]] [sss_dp_get_domains_msg] (0x0400): Sending get domains request for [B.DOMAIN.ORG][forced][] (Thu Oct 3 14:23:50 2013) [sssd[pam]] [sbus_add_timeout] (0x2000): 0x15688b0 (Thu Oct 3 14:23:50 2013) [sssd[pam]] [sss_dp_internal_get_send] (0x0400): Entering request [0x41b4b0:doma...@b.domain.org] (Thu Oct 3 14:23:50 2013) [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x15656b0 (Thu Oct 3 14:23:50 2013) [sssd[pam]] [dp_id_callback] (0x0100): Got id ack and version (1) from DP (Thu Oct 3 14:23:50 2013) [sssd[pam
Re: [SSSD-users] authenticating against all sub-domains in AD forest
Date: Wed, 18 Sep 2013 10:34:03 +0200 From: jhro...@redhat.com To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] authenticating against all sub-domains in AD forest On Tue, Sep 17, 2013 at 01:50:15PM +, a t wrote: Date: Mon, 16 Sep 2013 15:59:09 +0200 From: jhro...@redhat.com To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] authenticating against all sub-domains in AD forest On Mon, Sep 16, 2013 at 01:45:17PM +, a t wrote: Date: Mon, 16 Sep 2013 15:22:47 +0200 From: jhro...@redhat.com To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] authenticating against all sub-domains in AD forest On Mon, Sep 16, 2013 at 01:17:22PM +, a t wrote: Hi, I am testing find a standard config for Linux authentication against Active Directory and I am testing with Centos 6. I have decided on a SSSD/Kerberos/LDAP configuration as described in RedHats Integrating Red Hat Enterprise Linux 6 with Active Directory section 6.3. http://www.redhat.com/rhecm/rest-rhecm/jcr/repository/collaboration/jcr:system/jcr:versionStorage/ae40084d0a052601783f1ea42715cdef/26/jcr:frozenNode/rh:resourceFile It works very well but for the one domain in our forest i.e. b.domain.org. However, users of other domains in the forest can not be authenticated. This is understandable as I have pointed all the config files at the child domains DC's, i.e. dc1.b.domain.org rather than dc1.domain.org. I have been searching for example configurations which will authenticate any user in the forest even though the Linux installation is joined to a different child domain but not found any. Scenario I would like to implement; Linux installation hostname = lin1lin1 joined to domain b.domain.orgusers from b.domain.org can login to lin1.b.doamin.orgusers from all child domains of domain.org can log into lin1.b.domain.org. for example a.domain.org, c.domain.org or z.domain.org I have attached my current config files as a reference. They work for a single domain rather than the whole forest. I suppose I am stuck whether to add each AD child domain as separate domains in SSSD and REALMS in kerberos or if I can get it to see the whole forest. Thanks for any help / pointers, Matthew Hi Matthew, this feature is only supported starting with 1.10 upstream.. Even on RHEL-6 I would recommend trying out the AD provider, not the AD/Kerberos provider combo. ___ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users Thank you very much for the speedy reply. I'll take another look at the AD provider and keep an eye on future sssd versions. If you're mostly interested in testing, we build our nighlies even for RHEL6: http://jdennis.fedorapeople.org/ipa-devel/ipa-devel-rhel.repo But tread lightly, it's really a development snapshot :) ___ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users Hi Jakub, I installed sssd.x86_64 1.11.1-0.20130912T1711Zgit10bc88a.el6 from the repo you mentioned above. I installed on the same machine using the same config files. All works as expected with no issues I can see. I am going to try to setup sssd with AD provider on a clean VM. 2 questions; 1) I want a certain amount of SSO - mounting a windows share with no manual authentication based on windows permissions. According to http://www.freeipa.org/images/d/dd/Freeipa30_sssd-ad-provider.pdf this is not available until 1.10. Ah, I see you're referring to slide #11. I think the answer depends on what your requirements are. Login with SSSD gives you a TGT. If there is a client side infrastructure to mount a windows share based on Kerberos authentication, everything should just work. I think that's what you're referring to as SSO? But currently cifs-utils still require winbind for some tasks like modifying ACLs. Integrating with cifs-utils in order to avoid the winbind dependency completely is on the roadmap for 1.12 currently (the slides are about a year old and we shuffled the priorities a bit) See: https://fedorahosted.org/sssd/wiki/DesignDocs/IntegrateSSSDWithCIFSClient I see there is a stable 1.11 in a repo or would I need to build from source? I am happy to use the nightly build repo for now and testing but if I roll it out I would obviously
Re: [SSSD-users] authenticating against all sub-domains in AD forest
Date: Mon, 16 Sep 2013 15:59:09 +0200 From: jhro...@redhat.com To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] authenticating against all sub-domains in AD forest On Mon, Sep 16, 2013 at 01:45:17PM +, a t wrote: Date: Mon, 16 Sep 2013 15:22:47 +0200 From: jhro...@redhat.com To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] authenticating against all sub-domains in AD forest On Mon, Sep 16, 2013 at 01:17:22PM +, a t wrote: Hi, I am testing find a standard config for Linux authentication against Active Directory and I am testing with Centos 6. I have decided on a SSSD/Kerberos/LDAP configuration as described in RedHats Integrating Red Hat Enterprise Linux 6 with Active Directory section 6.3. http://www.redhat.com/rhecm/rest-rhecm/jcr/repository/collaboration/jcr:system/jcr:versionStorage/ae40084d0a052601783f1ea42715cdef/26/jcr:frozenNode/rh:resourceFile It works very well but for the one domain in our forest i.e. b.domain.org. However, users of other domains in the forest can not be authenticated. This is understandable as I have pointed all the config files at the child domains DC's, i.e. dc1.b.domain.org rather than dc1.domain.org. I have been searching for example configurations which will authenticate any user in the forest even though the Linux installation is joined to a different child domain but not found any. Scenario I would like to implement; Linux installation hostname = lin1lin1 joined to domain b.domain.orgusers from b.domain.org can login to lin1.b.doamin.orgusers from all child domains of domain.org can log into lin1.b.domain.org. for example a.domain.org, c.domain.org or z.domain.org I have attached my current config files as a reference. They work for a single domain rather than the whole forest. I suppose I am stuck whether to add each AD child domain as separate domains in SSSD and REALMS in kerberos or if I can get it to see the whole forest. Thanks for any help / pointers, Matthew Hi Matthew, this feature is only supported starting with 1.10 upstream.. Even on RHEL-6 I would recommend trying out the AD provider, not the AD/Kerberos provider combo. ___ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users Thank you very much for the speedy reply. I'll take another look at the AD provider and keep an eye on future sssd versions. If you're mostly interested in testing, we build our nighlies even for RHEL6: http://jdennis.fedorapeople.org/ipa-devel/ipa-devel-rhel.repo But tread lightly, it's really a development snapshot :) ___ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users Hi Jakub, I installed sssd.x86_64 1.11.1-0.20130912T1711Zgit10bc88a.el6 from the repo you mentioned above. I installed on the same machine using the same config files. All works as expected with no issues I can see. I am going to try to setup sssd with AD provider on a clean VM. 2 questions; 1) I want a certain amount of SSO - mounting a windows share with no manual authentication based on windows permissions. According to http://www.freeipa.org/images/d/dd/Freeipa30_sssd-ad-provider.pdf this is not available until 1.10. I see there is a stable 1.11 in a repo or would I need to build from source? I am happy to use the nightly build repo for now and testing but if I roll it out I would obviously want to use a stable version. 2) Are the example configs in http://www.freeipa.org/images/d/dd/Freeipa30_sssd-ad-provider.pdf still valid in 1.10+ for an AD provider set-up? Thanks for your help! Matthew ___ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
[SSSD-users] authenticating against all sub-domains in AD forest
Hi, I am testing find a standard config for Linux authentication against Active Directory and I am testing with Centos 6. I have decided on a SSSD/Kerberos/LDAP configuration as described in RedHats Integrating Red Hat Enterprise Linux 6 with Active Directory section 6.3. http://www.redhat.com/rhecm/rest-rhecm/jcr/repository/collaboration/jcr:system/jcr:versionStorage/ae40084d0a052601783f1ea42715cdef/26/jcr:frozenNode/rh:resourceFile It works very well but for the one domain in our forest i.e. b.domain.org. However, users of other domains in the forest can not be authenticated. This is understandable as I have pointed all the config files at the child domains DC's, i.e. dc1.b.domain.org rather than dc1.domain.org. I have been searching for example configurations which will authenticate any user in the forest even though the Linux installation is joined to a different child domain but not found any. Scenario I would like to implement; Linux installation hostname = lin1lin1 joined to domain b.domain.orgusers from b.domain.org can login to lin1.b.doamin.orgusers from all child domains of domain.org can log into lin1.b.domain.org. for example a.domain.org, c.domain.org or z.domain.org I have attached my current config files as a reference. They work for a single domain rather than the whole forest. I suppose I am stuck whether to add each AD child domain as separate domains in SSSD and REALMS in kerberos or if I can get it to see the whole forest. Thanks for any help / pointers, Matthew [sssd] config_file_version = 2 debug_level = 0 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam domains = default [nss] reconnection_retries = 3 [pam] reconnection_retries = 3 [domain/default] cache_credentials = True enumerate = true id_provider = ldap auth_provider = krb5 chpass_provider = krb5 access_provider = ldap ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/mhcentos3.b.domain@b.domain.org ldap_schema = rfc2307bis ldap_user_object_class = user ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName ldap_user_name = sAMAccountName ldap_group_object_class = group ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = true ldap_disable_referrals = true krb5_realm = B.DOMAIN.ORG [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = B.DOMAIN.ORG dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] B.DOMAIN.ORG = { kdc = bdc1.b.domain.org admin_server = bdc1.b.domain.org } b.domain.org = { kdc = bdc1.b.domain.org admin_server = bdc1.b.domain.org } [domain_realm] .b.domain.org = B.DOMAIN.ORG b.domain.org = B.DOMAIN.ORG [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = B.DOMAIN.ORG dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] B.DOMAIN.ORG = { kdc = dc1.b.domain.org admin_server = dc1.b.domain.org } b.domain.org = { kdc = dc1.b.domain.org admin_server = dc1.b.domain.org } [domain_realm] .b.domain.org = B.DOMAIN.ORG b.domain.org = B.DOMAIN.ORG ___ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users