Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1791016

Summary: realmd should handle default_realm in krb5.conf.
Product: Red Hat Enterprise Linux 8 Reporter: Alexey Tikhonov <atikhono>
Component: realmdAssignee: Sumit Bose <sbose>
Status: CLOSED ERRATA QA Contact: shridhar <sgadekar>
Severity: high Docs Contact:
Priority: unspecified    
Version: 8.2CC: afarley, alsharma, dlavu, gestionesistemi, pcech, sbose, sgadekar, sgoveas, tscherf
Target Milestone: rcFlags: pm-rhel: mirror+
Target Release: 8.2   
Hardware: All   
OS: Linux   
Whiteboard: sync-to-jira
Fixed In Version: realmd-0.16.3-20.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-18 14:56:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1894575    

Description Alexey Tikhonov 2020-01-14 16:59:31 UTC 
In RHEL-7 realmd calls authconfig to handle various low level configurations like nss, PAM etc. authconfig also adds the default_realm option if Kerberos authentication is configured.

In RHEL-8 realmd calls authselect with by design is not a full replacement of authconfig but concentrates on nss and PAM and does not modify the Kerberos configuration.

Thus realmd should be updated to handle default_realm in krb5.conf.
Comment 5 Sumit Bose 2020-10-14 10:16:33 UTC 
Together with this change 'udp_preference_limit = 0' can be set as well to switch to TCP by default. Since AD Kerberos tickets typically are larger than UDP can handle due to the PAC libkrb5 typically has to switch to TCP internally anyway and switch to TCP be default helps to avoid a couple of unneeded UDP round-trips.
Comment 6 Sumit Bose 2020-11-04 13:22:06 UTC 
Upstream:
 - https://gitlab.freedesktop.org/realmd/realmd/-/commit/2fa90caf4ad38541615446b80dbeaccd0d0e6a6f
Comment 9 shridhar 2020-11-23 10:02:29 UTC 
Tested with realmd-0.16.3-20.el8.x86_64

::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Test
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [ 04:52:44 ] :: [  BEGIN   ] :: Running 'egrep ad.baseos.qe /etc/krb5.conf'
:: [ 04:52:44 ] :: [   PASS   ] :: Command 'egrep ad.baseos.qe /etc/krb5.conf' (Expected 1, got 1)
:: [ 04:52:44 ] :: [  BEGIN   ] :: Running 'realmd_command --passwd=xxxxx! realm -v join --user=Amy-admin ad.baseos.qe'
ARGS=--passwd=Pass2012! realm -v join --user=Amy-admin ad.baseos.qe
EXP_SCRIPT=/tmp/tmp.vHyVcxuwRn
argnum=1
exp: PASSWORD = Pass2012!
exp: COMMAND  = realm -v join --user=Amy-admin ad.baseos.qe
spawn realm -v join --user=Amy-admin ad.baseos.qe
 * Resolving: _ldap._tcp.ad.baseos.qe
 * Performing LDAP DSE lookup on: 10.37.152.14
 * Successfully discovered: ad.baseos.qe
Password for Amy-admin: 
 * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/sbin/adcli
 * Joining using a truncated netbios name: CI-VM-10-0-138-
 * LANG=C /usr/sbin/adcli join --verbose --domain ad.baseos.qe --domain-realm AD.BASEOS.QE --domain-controller 10.37.152.14 --computer-name CI-VM-10-0-138- --login-type user --login-user Amy-admin --stdin-password
 * Using domain name: ad.baseos.qe
 * Using computer account name: CI-VM-10-0-138-
 * Using domain realm: ad.baseos.qe
 * Sending NetLogon ping to domain controller: 10.37.152.14
 * Received NetLogon info from: sec-ad1.ad.baseos.qe
 * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-kR6NpR/krb5.d/adcli-krb5-conf-EFftfF
 * Authenticated as user: Amy-admin.QE
 * Using GSS-SPNEGO for SASL bind
 * Looked up short domain name: AD
 * Looked up domain SID: S-1-5-21-3917357665-4280980005-1639201238
 * Using fully qualified name: ci-vm-10-0-138-177.hosted.upshift.rdu2.redhat.com
 * Using domain name: ad.baseos.qe
 * Using computer account name: CI-VM-10-0-138-
 * Using domain realm: ad.baseos.qe
 * Enrolling computer name: CI-VM-10-0-138-
 * Generated 120 character computer password
 * Using keytab: FILE:/etc/krb5.keytab
 * Computer account for CI-VM-10-0-138-$ does not exist
 * Found well known computer container at: CN=Computers,DC=ad,DC=baseos,DC=qe
 * Calculated computer account: CN=CI-VM-10-0-138-,CN=Computers,DC=ad,DC=baseos,DC=qe
 * Encryption type [16] not permitted.
 * Encryption type [23] not permitted.
 * Encryption type [3] not permitted.
 * Encryption type [1] not permitted.
 * Created computer account: CN=CI-VM-10-0-138-,CN=Computers,DC=ad,DC=baseos,DC=qe
 * Sending NetLogon ping to domain controller: 10.37.152.14
 * Received NetLogon info from: sec-ad1.ad.baseos.qe
 * Set computer password
 * Retrieved kvno '2' for computer account in directory: CN=CI-VM-10-0-138-,CN=Computers,DC=ad,DC=baseos,DC=qe
 * Checking RestrictedKrbHost/ci-vm-10-0-138-177.hosted.upshift.rdu2.redhat.com
 *    Added RestrictedKrbHost/ci-vm-10-0-138-177.hosted.upshift.rdu2.redhat.com
 * Checking RestrictedKrbHost/CI-VM-10-0-138-
 *    Added RestrictedKrbHost/CI-VM-10-0-138-
 * Checking host/ci-vm-10-0-138-177.hosted.upshift.rdu2.redhat.com
 *    Added host/ci-vm-10-0-138-177.hosted.upshift.rdu2.redhat.com
 * Checking host/CI-VM-10-0-138-
 *    Added host/CI-VM-10-0-138-
 * Discovered which keytab salt to use
 * Added the entries to the keytab: CI-VM-10-0-138-$@AD.BASEOS.QE: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: host/CI-VM-10-0-138-.QE: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: host/ci-vm-10-0-138-177.hosted.upshift.rdu2.redhat.com.QE: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: RestrictedKrbHost/CI-VM-10-0-138-.QE: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: RestrictedKrbHost/ci-vm-10-0-138-177.hosted.upshift.rdu2.redhat.com.QE: FILE:/etc/krb5.keytab
 ! Failed to update Kerberos configuration, not fatal, please check manually: Setting attribute standard::type not supported
 * /usr/bin/systemctl enable sssd.service
 * /usr/bin/systemctl restart sssd.service
 * /usr/bin/sh -c /usr/bin/authselect select sssd with-mkhomedir --force && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service
Backup stored at /var/lib/authselect/backups/2020-11-23-09-52-51.4A6dHj
Profile "sssd" was selected.
The following nsswitch maps are overwritten by the profile:
- passwd
- group
- netgroup
- automount
- services

Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.
 
- with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module
  is present and oddjobd service is enabled and active
  - systemctl enable --now oddjobd.service

Created symlink /etc/systemd/system/multi-user.target.wants/oddjobd.service → /usr/lib/systemd/system/oddjobd.service.
 * Successfully enrolled machine in realm
exp: RESULT=9939 exp6 0 0
RET=0
:: [ 04:52:52 ] :: [   PASS   ] :: Command 'realmd_command --passwd=xxxxxx! realm -v join --user=Amy-admin ad.baseos.qe' (Expected 0, got 0)
:: [ 04:52:52 ] :: [  BEGIN   ] :: Running 'echo xxxxxx! | kinit Amy-admin'
Password for Amy-admin.QE: 
:: [ 04:52:52 ] :: [   PASS   ] :: Command 'echo xxxxxx! | kinit Amy-admin' (Expected 0, got 0)
:: [ 04:52:52 ] :: [  BEGIN   ] :: Running 'egrep 'default_realm = AD.BASEOS.QE' /etc/krb5.conf'
default_realm = AD.BASEOS.QE
:: [ 04:52:52 ] :: [   PASS   ] :: Command 'egrep 'default_realm = AD.BASEOS.QE' /etc/krb5.conf' (Expected 0, got 0)
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Duration: 8s
::   Assertions: 4 good, 0 bad
::   RESULT: PASS (Test)



marking verified.
Comment 10 Steeve Goveas 2020-11-30 08:07:23 UTC 
Verifying bug from comment 9
Comment 11 shridhar 2020-11-30 15:08:38 UTC 
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Test
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

[root@ci-vm-10-0-139-204 tmp.lzU23L0saG]# vim /etc/yum.repos.d/rhel.repo 
[root@ci-vm-10-0-139-204 tmp.lzU23L0saG]# dnf info realmd
Updating Subscription Management repositories.
Unable to read consumer identity

This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.

rhel                                                                                                                                                                                16 kB/s | 2.8 kB     00:00    
rhel1                                                                                                                                                                              6.8 MB/s | 2.3 MB     00:00    
rhel-AppStream                                                                                                                                                                      23 kB/s | 3.2 kB     00:00    
Installed Packages
Name         : realmd
Version      : 0.16.3
Release      : 19.el8
Architecture : x86_64
Size         : 790 k
Source       : realmd-0.16.3-19.el8.src.rpm
Repository   : @System
From repo    : rhel-updates
Summary      : Kerberos realm enrollment service
URL          : http://cgit.freedesktop.org/realmd/realmd/
License      : LGPLv2+
Description  : realmd is a DBus system service which manages discovery and enrollment in realms
             : and domains like Active Directory or IPA. The control center uses realmd as the
             : back end to 'join' a domain simply and automatically configure things correctly.

Available Packages
Name         : realmd
Version      : 0.16.3
Release      : 20.el8
Architecture : x86_64
Size         : 237 k
Source       : realmd-0.16.3-20.el8.src.rpm
Repository   : rhel1
Summary      : Kerberos realm enrollment service
URL          : http://cgit.freedesktop.org/realmd/realmd/
License      : LGPLv2+
Description  : realmd is a DBus system service which manages discovery and enrollment in realms
             : and domains like Active Directory or IPA. The control center uses realmd as the
             : back end to 'join' a domain simply and automatically configure things correctly.

[root@ci-vm-10-0-139-204 tmp.lzU23L0saG]# dnf update realmd
Updating Subscription Management repositories.
Unable to read consumer identity

This system is not registered to Red Hat Subscription Management. You can use subscription-manager to register.

Last metadata expiration check: 0:00:19 ago on Mon 30 Nov 2020 10:06:06 AM EST.
Dependencies resolved.
===================================================================================================================================================================================================================
 Package                                          Architecture                                     Version                                                   Repository                                       Size
===================================================================================================================================================================================================================
Upgrading:
 realmd                                           x86_64                                           0.16.3-20.el8                                             rhel1                                           237 k

Transaction Summary
===================================================================================================================================================================================================================
Upgrade  1 Package

Total download size: 237 k
Is this ok [y/N]: y
Downloading Packages:
realmd-0.16.3-20.el8.x86_64.rpm                                                                                                                                                    1.5 MB/s | 237 kB     00:00    
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Total                                                                                                                                                                              1.5 MB/s | 237 kB     00:00     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Preparing        :                                                                                                                                                                                           1/1 
  Running scriptlet: realmd-0.16.3-20.el8.x86_64                                                                                                                                                               1/1 
  Upgrading        : realmd-0.16.3-20.el8.x86_64                                                                                                                                                               1/2 
  Cleanup          : realmd-0.16.3-19.el8.x86_64                                                                                                                                                               2/2 
  Running scriptlet: realmd-0.16.3-19.el8.x86_64                                                                                                                                                               2/2 
  Verifying        : realmd-0.16.3-20.el8.x86_64                                                                                                                                                               1/2 
  Verifying        : realmd-0.16.3-19.el8.x86_64                                                                                                                                                               2/2 
Installed products updated.

Upgraded:
  realmd-0.16.3-20.el8.x86_64                                                                                                                                                                                      

Complete!
[root@ci-vm-10-0-139-204 tmp.lzU23L0saG]# exit
:: [ 10:06:31 ] :: [  BEGIN   ] :: Running 'egrep ad.baseos.qe /etc/krb5.conf'
:: [ 10:06:31 ] :: [   PASS   ] :: Command 'egrep ad.baseos.qe /etc/krb5.conf' (Expected 1, got 1)
:: [ 10:06:31 ] :: [  BEGIN   ] :: Running 'realmd_command --passwd=Pass2012! realm -v join --user=Amy-admin ad.baseos.qe'
ARGS=--passwd=Pass2012! realm -v join --user=Amy-admin ad.baseos.qe
EXP_SCRIPT=/tmp/tmp.VIO6QjgY94
argnum=1
exp: PASSWORD = Pass2012!
exp: COMMAND  = realm -v join --user=Amy-admin ad.baseos.qe
spawn realm -v join --user=Amy-admin ad.baseos.qe
 * Resolving: _ldap._tcp.ad.baseos.qe
 * Performing LDAP DSE lookup on: 10.37.152.14
 * Successfully discovered: ad.baseos.qe
Password for Amy-admin: 
 * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/sbin/adcli
 * Joining using a truncated netbios name: CI-VM-10-0-139-
 * LANG=C /usr/sbin/adcli join --verbose --domain ad.baseos.qe --domain-realm AD.BASEOS.QE --domain-controller 10.37.152.14 --computer-name CI-VM-10-0-139- --login-type user --login-user Amy-admin --stdin-password
 * Using domain name: ad.baseos.qe
 * Using computer account name: CI-VM-10-0-139-
 * Using domain realm: ad.baseos.qe
 * Sending NetLogon ping to domain controller: 10.37.152.14
 * Received NetLogon info from: sec-ad1.ad.baseos.qe
 * Wrote out krb5.conf snippet to /var/cache/realmd/adcli-krb5-DUmI2M/krb5.d/adcli-krb5-conf-j7JRjs
 * Authenticated as user: Amy-admin.QE
 * Using GSS-SPNEGO for SASL bind
 * Looked up short domain name: AD
 * Looked up domain SID: S-1-5-21-3917357665-4280980005-1639201238
 * Using fully qualified name: ci-vm-10-0-139-204.hosted.upshift.rdu2.redhat.com
 * Using domain name: ad.baseos.qe
 * Using computer account name: CI-VM-10-0-139-
 * Using domain realm: ad.baseos.qe
 * Enrolling computer name: CI-VM-10-0-139-
 * Generated 120 character computer password
 * Using keytab: FILE:/etc/krb5.keytab
 * Computer account for CI-VM-10-0-139-$ does not exist
 * Found well known computer container at: CN=Computers,DC=ad,DC=baseos,DC=qe
 * Calculated computer account: CN=CI-VM-10-0-139-,CN=Computers,DC=ad,DC=baseos,DC=qe
 * Encryption type [16] not permitted.
 * Encryption type [23] not permitted.
 * Encryption type [3] not permitted.
 * Encryption type [1] not permitted.
 * Created computer account: CN=CI-VM-10-0-139-,CN=Computers,DC=ad,DC=baseos,DC=qe
 * Sending NetLogon ping to domain controller: 10.37.152.14
 * Received NetLogon info from: sec-ad1.ad.baseos.qe
 * Set computer password
 * Retrieved kvno '2' for computer account in directory: CN=CI-VM-10-0-139-,CN=Computers,DC=ad,DC=baseos,DC=qe
 * Checking RestrictedKrbHost/ci-vm-10-0-139-204.hosted.upshift.rdu2.redhat.com
 *    Added RestrictedKrbHost/ci-vm-10-0-139-204.hosted.upshift.rdu2.redhat.com
 * Checking RestrictedKrbHost/CI-VM-10-0-139-
 *    Added RestrictedKrbHost/CI-VM-10-0-139-
 * Checking host/ci-vm-10-0-139-204.hosted.upshift.rdu2.redhat.com
 *    Added host/ci-vm-10-0-139-204.hosted.upshift.rdu2.redhat.com
 * Checking host/CI-VM-10-0-139-
 *    Added host/CI-VM-10-0-139-
 * Discovered which keytab salt to use
 * Added the entries to the keytab: CI-VM-10-0-139-$@AD.BASEOS.QE: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: host/CI-VM-10-0-139-.QE: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: host/ci-vm-10-0-139-204.hosted.upshift.rdu2.redhat.com.QE: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: RestrictedKrbHost/CI-VM-10-0-139-.QE: FILE:/etc/krb5.keytab
 * Added the entries to the keytab: RestrictedKrbHost/ci-vm-10-0-139-204.hosted.upshift.rdu2.redhat.com.QE: FILE:/etc/krb5.keytab
 ! Failed to update Kerberos configuration, not fatal, please check manually: Setting attribute standard::type not supported
 * /usr/bin/systemctl enable sssd.service
 * /usr/bin/systemctl restart sssd.service
 * /usr/bin/sh -c /usr/bin/authselect select sssd with-mkhomedir --force && /usr/bin/systemctl enable oddjobd.service && /usr/bin/systemctl start oddjobd.service
Backup stored at /var/lib/authselect/backups/2020-11-30-15-06-38.pyhsL6
Profile "sssd" was selected.
The following nsswitch maps are overwritten by the profile:
- passwd
- group
- netgroup
- automount
- services

Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.
 
- with-mkhomedir is selected, make sure pam_oddjob_mkhomedir module
  is present and oddjobd service is enabled and active
  - systemctl enable --now oddjobd.service

Created symlink /etc/systemd/system/multi-user.target.wants/oddjobd.service → /usr/lib/systemd/system/oddjobd.service.
 * Successfully enrolled machine in realm
exp: RESULT=9901 exp6 0 0
RET=0
:: [ 10:06:39 ] :: [   PASS   ] :: Command 'realmd_command --passwd=Pass2012! realm -v join --user=Amy-admin ad.baseos.qe' (Expected 0, got 0)
:: [ 10:06:39 ] :: [  BEGIN   ] :: Running 'echo Pass2012! | kinit Amy-admin'
Password for Amy-admin.QE: 
:: [ 10:06:39 ] :: [   PASS   ] :: Command 'echo Pass2012! | kinit Amy-admin' (Expected 0, got 0)
:: [ 10:06:39 ] :: [  BEGIN   ] :: Running 'egrep 'default_realm = AD.BASEOS.QE' /etc/krb5.conf'
default_realm = AD.BASEOS.QE
:: [ 10:06:39 ] :: [   PASS   ] :: Command 'egrep 'default_realm = AD.BASEOS.QE' /etc/krb5.conf' (Expected 0, got 0)
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
::   Duration: 176s
::   Assertions: 4 good, 0 bad
::   RESULT: PASS (Test)


marking verified
Comment 13 errata-xmlrpc 2021-05-18 14:56:57 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (realmd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1635
Comment 14 gestionesistemi 2021-05-19 13:48:34 UTC 
I can conform that realmd-0.16.3-22.el8.x86_64 included in RHEL 8.4 adds only:
 default_realm = MYDOMAIN.COM
directly to /etc/krb5.conf. 
Modifying directly main config file is never a good choice (indeed, almost all packages have a drop-in dir, even krb5)
Adding directive:
 includedir /var/lib/sss/pubconf/krb5.include.d
(like in RHEL7)
should be more appropriate because included files are made better and allow passwordless (GSSAPI) SSH.
Comment 15 Sumit Bose 2021-05-19 15:41:11 UTC 
(In reply to gestionesistemi from comment #14)
> I can conform that realmd-0.16.3-22.el8.x86_64 included in RHEL 8.4 adds
> only:
>  default_realm = MYDOMAIN.COM
> directly to /etc/krb5.conf. 
> Modifying directly main config file is never a good choice (indeed, almost
> all packages have a drop-in dir, even krb5)

Hi,

afaik the drop-in directory /etc/krb5.conf.d is not hardcoded but only works if 'includedir /etc/krb5.conf.d/' is present in /etc/krb5.conf. This is the default for Fedora and RHEL but since this fix is taken from realmd upstream which should work on other platforms as well adding default_realm directly is more reliable.

> Adding directive:
>  includedir /var/lib/sss/pubconf/krb5.include.d
> (like in RHEL7)
> should be more appropriate because included files are made better and allow
> passwordless (GSSAPI) SSH.

Here I agree with Pavel comment in the other ticket that it would be better if this is handled by SSSD itself.

bye,
Sumit
Comment 16 gestionesistemi 2021-05-19 18:19:14 UTC 
But default_realm only is not enough to offer "full" functionality for Kerberos auth.

Thus, unlike RHEL7, on RHEL8, is Kerberos "de facto" not configured for integration with SSSD and SSH?
For RHEL8, do you suggest to manage krb5.conf with a configuration management system like Ansible?
Where regression is? In authselect, realmd or sssd? Do I need to open another bugzilla?
Comment 17 Sumit Bose 2021-05-20 07:55:17 UTC 
(In reply to gestionesistemi from comment #16)
> But default_realm only is not enough to offer "full" functionality for
> Kerberos auth.
> 
> Thus, unlike RHEL7, on RHEL8, is Kerberos "de facto" not configured for
> integration with SSSD and SSH?
> For RHEL8, do you suggest to manage krb5.conf with a configuration
> management system like Ansible?

No, you are right, it should be handled by the system.

> Where regression is? In authselect, realmd or sssd? Do I need to open
> another bugzilla?

As I said, I agree with //bugzilla.redhat.com/show_bug.cgi?id=1961182#c3, so there is already a ticket for SSSD to fix this.

HTH

bye,
Sumit