Active Directory authentication, Kerberos Realms

Tillotson

OK, so I'm trying to use Kerberos/LDAP/SSSD to authenticate linux clients. The problem I'm having is that our Active Directory was originally set up with a company.local domain but I'm guessing the users UPN's were updated in AD to match their email addresses, user@company.com.

So I can authenticate users with a user@company.local UPN but not user@company.com. What I think I want to do is somehow override or alias company.com to company.local. Here's my current /etc/krb5.conf:

[logging]
 default = FILE:/var/log/krb5libs.log
 kdc = FILE:/var/log/krb5kdc.log
 admin_server = FILE:/var/log/kadmind.log

[libdefaults]
 dns_lookup_realm = false
 dns_lookup_kdc = false
 ticket_lifetime = 24h
 renew_lifetime = 7d
 forwardable = true

 default_realm = COMPANY.LOCAL

[realms]
COMPANY.LOCAL = {
  admin_server = dc0.company.local
  kdc = dc0.company.local
}
[domain_realm]
 company = COMPANY.LOCAL
 .company = COMPANY.LOCAL

The error message I'm seeing when trying to log in as a user with a company.com UPN:

su: pam_sss(su:auth): system info: [Cannot find KDC for requested realm]

Anyone have any suggestions?

Tillotson

OK, so finally solved this. It was as simple as adding:

COMPANY.COM = {
  admin_server = dc0.company.local
  kdc = dc0.company.local
}

to the [realms] section. Thought I had already tried this, oh well.