Has anyone figured out how to make sssd utilize a Microsoft read-only Domain Controller (RODC)?
The host we want to join to AD is already behind the RODC. So, we are trying to "join" the host to the RODC by pre-creating a computer account object in AD (via a RWDC), then exporting a Kerberos keytab file to install on the client host. On the client host, in the /etc/krb5.conf file, we have overridden the "kdc" setting for our domain, pointing it to the RODC. In /etc/sssd/sssd.conf, we have set "ad_server" for our domain, pointing it to the RODC. Using the exported keytab file, we can run "kinit -k" successfully. But no matter how we create the computer account object, or how we export the Kerberos keytab, sssd cannot use the resulting keytab file to authenticate to the RODC: when sssd sends the AS-REQ, the RODC always replies with KRB5KDC_ERR_PREAUTH_FAILED. I'm beginning to suspect that sssd just doesn't work with RODCs: if "kinit -k" can successfully authenticate and acquire a service principal using the keytab file we exported to the client from the RWDC, then why can't sssd successfully use it? Can anyone confirm that you have sssd successfully speaking to a Microsoft RODC? If so, did you join the client host to a RWDC and then move it behind the RODC? Or did you pre-create the machine account on the RWDC and export the Kerberos keytab to the client? If the latter, do you have the exact net/admod/ktpass commands you used to pre-create the computer account and export the keytab in a way that is compatible with sssd? Thanks in advance for any pointers or advice! _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
