On 9/2/21 12:49 AM, Sumit Bose wrote:
The reason is that 'kinit -k' constructs the principal by calling
gethostname() or similar, adding the 'host/' prefix and the realm. But
by default this principal in AD is only a service principal can cannot
be used to request a TGT as kinit does. AD only allows user principals
for request a TGT and this is by default 'SHORT$@AD.REALM'. If the
userPrincipalName attribute is set, this principal given here is allowed
as well.
This raises a couple of questions. Because of AD's flat address space,
we use a host naming convention in AD as a sort of low rent namespacing;
so, for example, for this host the college is cns and the research group
cryo, so the AD hostname is cns-cryo-ross1$
However,
# hostname
rossmann.biosci.utexas.edu
which is easier for the users to remember for ssh purposes. We set
ad_hostname = cns-cryo-ross1.austin.utexas.edu
in /etc/sssd/sssd.conf.
But I just checked, and kinit does not use ad_hostname, so I have to run
it as
kinit -k -R cns-cryo-ross1$
The question is, then what does use the ad_hostname key/value pair?
Next, the kinit example provided by Spike was `kinit -k` -- we always
run `kinit -k -R`
-R renews the TGT, which is what I thought is the thing set to expire in
AD that needs to be periodically renewed. What's the purpose of running
`kinit -k` without the -R?
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
