Description of problem: Please, update blog post: https://jhrozek.wordpress.com/2015/07/17/get-rid-of-calling-manually-calling-kinit-with-sssds-help/ I upgraded from F25 to F26 and I needed workaround for automatic kinit after login. Version-Release number of selected component (if applicable): sssd-1.15.2 My workaround: If you have the same name of your local user as your kerberos user, you can use this configuration of SSSD to reach atomatic `kinit` during login proccess. $ cat /etc/sssd/sssd.conf [sssd] domains = redhat.com config_file_version = 2 services = nss,pam,ifp default_domain_suffix = redhat.com [ifp] #debug_level = 10 [domain/redhat.com] id_provider = proxy proxy_lib_name = files auth_provider = krb5 krb5_server = kerberos01.core.prod.int.ams2.redhat.com:88 krb5_realm = REDHAT.COM krb5_store_password_if_offline = True cache_credentials = True Setup pam stack: $ authconfig --enablenis --enablesssd --enablesssdauth --update And reset SSSD: $ systemctl restart sssd When Lukas Slebodnik asked me for crating this BZ, he would like to see: $ cat /etc/nsswitch.conf # # /etc/nsswitch.conf # # An example Name Service Switch config file. This file should be # sorted with the most-used services at the beginning. # # The entry '[NOTFOUND=return]' means that the search for an # entry should stop if the search in the previous entry turned # up nothing. Note that if the search failed due to some other reason # (like no NIS server responding) then the search continues with the # next entry. # # Valid entries include: # # nisplus Use NIS+ (NIS version 3) # nis Use NIS (NIS version 2), also called YP # dns Use DNS (Domain Name Service) # files Use the local files # db Use the local database (.db) files # compat Use NIS on compat mode # hesiod Use Hesiod for user lookups # [NOTFOUND=return] Stop searching if not found so far # # To use db, put the "db" in front of "files" for entries you want to be # looked up first in the databases # # Example: #passwd: db files nisplus nis #shadow: db files nisplus nis #group: db files nisplus nis passwd: files nis sss systemd shadow: files nis sss group: files nis sss systemd #initgroups: files #hosts: db files nisplus nis dns hosts: files mdns4_minimal [NOTFOUND=return] nis dns myhostname # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc: nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files sss netgroup: files nis sss publickey: nisplus automount: files nis sss aliases: files nisplus
I asked Petr to file a ticket so we can track it somewhere. And the best place is fedora 26 due to default implicit_files_domain
BTW I woudl prefer to find another solution then setting "default_domain_suffix" which was not required on f25. Because it would return fqnames (user@implicit_files_domain) for local user with default f26 nsswitch.conf.
I'm fine with updating the blog post. But I wonder, since several users hit this problem already, if we should look into the configuration during startup (which we already do to see if there is an implicit files domain) and also check for a proxy domain proxying to files -- and if we find one, don't start the implicit domain. After all, the proxy domain is quite similar to the files domain..
(In reply to Jakub Hrozek from comment #3) > I'm fine with updating the blog post. > > But I wonder, since several users hit this problem already, if we should > look into the configuration during startup (which we already do to see if > there is an implicit files domain) and also check for a proxy domain > proxying to files -- and if we find one, don't start the implicit domain. > After all, the proxy domain is quite similar to the files domain.. That partially, make sense but sb need to investigate possible solutions/workarounds :-)
Sorry, the current version of sssd on my Fedora 26 is sssd-1.15.3.
We've just tested following configuration and it works. $ cat /etc/sssd/sssd.conf [sssd] domains = example.com config_file_version = 2 services = nss,pam [domain/example.com] id_provider = files proxy_lib_name = files auth_provider = krb5 krb5_server = kerberos01.example.com:88 krb5_realm = REDHAT.COM krb5_store_password_if_offline = True cache_credentials = True But on the other hand there might be more users (still on f25) which use proxy to files. Therefore we might disable starting implicit_files_domain after detecting id_provider = proxy (to files)
Upstream ticket: https://pagure.io/SSSD/sssd/issue/3590
sssd-1.16.0-4.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2017-9c7b92556b
sssd-1.16.0-5.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2017-4286c0635d
sssd-1.16.0-4.fc25 has been submitted as an update to Fedora 25. https://bodhi.fedoraproject.org/updates/FEDORA-2017-9bbe262ea8
master: * 34e5190f9a47e4a2e15d825123b33d42c7e72ccc * 4928657ce937d6b08c79cfe267f206ca2db493c6 * 30621369bbf6c554401a20d84e447f872608bc53 * c987e58316f729f7682aa6843f1337f4a4575e07
sssd-1.16.0-4.fc25 has been pushed to the Fedora 25 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-9bbe262ea8
sssd-1.16.0-4.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-9c7b92556b
sssd-1.16.0-5.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2017-4286c0635d
sssd-1.16.0-4.fc25 has been pushed to the Fedora 25 stable repository. If problems still persist, please make note of it in this bug report.
sssd-1.16.0-5.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
sssd-1.16.0-4.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report.