Using the realm join command I'm able to join, at present, on port 389. I'll be adjusting the command accordingly going forward but for the interim I'm tweaking the clients already members of the domain.
Here is my problem. With id_provider and auth_provider both set to ad I can login w/ my AD creds and lookup users, realm list and the like. As soon as I change both to ldap (which seems to stop the connection from being made on 389) I can still successfully login but no id nor realm list.
below is the sssd.conf file
Code: Select all
[sssd]
domains = DOMAIN
config_file_version = 2
services = nss, pam
debug_level=9
[nss]
[domain/DOMAIN]
debug_level=9
ad_domain = DOMAIN
krb5_realm = DOMAIN
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
#id_provider = ldap
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
ad_enable_gc = False
auth_provider = ad
#auth_provider = ldap
ldap_uri = ldaps://DOMAIN:636
ldap_tls_cacert = /etc/openldap/cacerts/DOMAIN.pem
ad_hostname = FQDN
Code: Select all
[sssd[be[DOMAIN.com]]] [fo_resolve_service_send] (0x0020): No available servers for service 'LDAP'
[sssd[be[DOMAIN.com]]] [be_resolve_server_done] (0x1000): Server resolution failed: [5]: Input/output error
[sssd[be[DOMAIN.com]]] [sdap_id_op_connect_done] (0x0020): Failed to connect, going offline (5 [Input/output error])
[sssd[be[DOMAIN.com]]] [be_mark_offline] (0x2000): Going offline!
Code: Select all
# Configuration snippets may be placed in this directory as well
includedir /etc/krb5.conf.d/
includedir /var/lib/sss/pubconf/krb5.include.d/
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
dns_lookup_realm = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
rdns = false
pkinit_anchors = /etc/pki/tls/certs/ca-bundle.crt
# default_realm = EXAMPLE.COM
default_ccache_name = KEYRING:persistent:%{uid}
dns_lookup_kdc = true
default_realm = DOMAIN
[realms]
# EXAMPLE.COM = {
# kdc = kerberos.example.com
# admin_server = kerberos.example.com
# }
DOMAIN.COM = {
}
[domain_realm]
# .example.com = EXAMPLE.COM
# example.com = EXAMPLE.COM
domain.com = DOMAIN.COM
.domain.com = DOMAIN.COM
Code: Select all
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
#BASE dc=example,dc=com
#URI ldap://ldap.example.com ldap://ldap-master.example.com:666
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
TLS_CACERTDIR /etc/openldap/cacerts
TLS_CACERT /etc/openldap/cacerts/DOMAIN.pem
# Turning this off breaks GSSAPI used with krb5 when rdns = false
SASL_NOCANON on
URI ldaps://DOMAIN:636
BASE dc=DOMAIN,dc=com