Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

Active Directory authentication, Kerberos Realms

Options
  • 15-05-2014 4:52pm
    #1
    Tillotson
    Registered Users Posts: 218 ✭✭


    OK, so I'm trying to use Kerberos/LDAP/SSSD to authenticate linux clients. The problem I'm having is that our Active Directory was originally set up with a company.local domain but I'm guessing the users UPN's were updated in AD to match their email addresses, user@company.com.

    So I can authenticate users with a user@company.local UPN but not user@company.com. What I think I want to do is somehow override or alias company.com to company.local. Here's my current /etc/krb5.conf: 
    
[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

 default_realm = COMPANY.LOCAL

[realms]
COMPANY.LOCAL = {
  admin_server = dc0.company.local
  kdc = dc0.company.local
}
[domain_realm]
 company = COMPANY.LOCAL
 .company = COMPANY.LOCAL

    The error message I'm seeing when trying to log in as a user with a company.com UPN: 
    su: pam_sss(su:auth): system info: [Cannot find KDC for requested realm]
    Anyone have any suggestions?


Comments

  • Options
    #2
    Tillotson
    Registered Users Posts: 218 ✭✭Tillotson


    OK, so finally solved this. It was as simple as adding: 
    COMPANY.COM = {
  admin_server = dc0.company.local
  kdc = dc0.company.local
}
    to the [realms] section. Thought I had already tried this, oh well.


Advertisement