On Mon, 2011-10-03 at 17:27 -0400, Simo Sorce wrote: > On Mon, 2011-10-03 at 16:57 -0400, Stephen Gallagher wrote: > > On Mon, 2011-10-03 at 22:47 +0200, Andy Kannberg wrote: > > > Hi again, > > > > > > > > > After a few hours of trial and error, I've figured it out and got it > > > working. Well, partly that is. > > > We use LDAP(Novell eDirectory) primary as identity vault and > > > Kerberos(AD) for primary authentication source and LDAP as fallback > > > authentication source. > > > So, I've disabled Kerberos in SSSD, as our develop and test systems > > > are not known by the KDC (no keytab file) > > > > This should be irrelevant. You shouldn't need a keytab file to talk to > > kerberos for user authentication (though without one you won't gain > > GSSAPI single-sign-on for SSH). > > We do validation by default, so a keytab is needed. > > Simo. >
We only validate by default in the IPA provider. Validation is disabled by default when using only the krb5 provider (because there is no guarantee of a keytab).
signature.asc
Description: This is a digitally signed message part
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
