rpms/sssd
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Document which principal does the AD provider use

Browse Source 
Signed-off-by: Fabiano Fidêncio <fidencio@redhat.com>
This commit is contained in:
Fabiano Fidêncio 2018-04-27 22:00:50 +02:00
parent 2dd8451396
commit b6696d97c4
2 changed files with 49 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
0046-MAN-Document-which-principal-does-the-AD-provider-us.patch Normal file
View File

@ -0,0 +1,47 @@
From 549a960554f44e79d74c65d9f889ccaef497b11d Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Thu, 19 Apr 2018 09:38:47 +0200
Subject: [PATCH] MAN: Document which principal does the AD provider use
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Administrators are often confused by the difference between what
principal is used to authenticate to AD. Let's document that.
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
(cherry picked from commit 91d1e4c134b7c90abd2ff86b313175c542cd834c)
---
src/man/include/ad_modified_defaults.xml | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/src/man/include/ad_modified_defaults.xml b/src/man/include/ad_modified_defaults.xml
index c41b454f8..818a2bf78 100644
--- a/src/man/include/ad_modified_defaults.xml
+++ b/src/man/include/ad_modified_defaults.xml
@@ -58,6 +58,22 @@
ldap_use_tokengroups = true
</para>
</listitem>
+ <listitem>
+ <para>
+ ldap_sasl_authid = sAMAccountName@REALM (typically SHORTNAME$@REALM)
+ </para>
+ <para>
+ The AD provider looks for a different principal than the
+ LDAP provider by default, because in an Active Directory
+ environment the principals are divided into two groups
+ - User Principals and Service Principals. Only User
+ Principal can be used to obtain a TGT and by default,
+ computer object's principal is constructed from
+ its sAMAccountName and the AD realm. The well-known
+ host/hostname@REALM principal is a Service Principal
+ and thus cannot be used to get a TGT with.
+ </para>
+ </listitem>
</itemizedlist>
</refsect2>
</refsect1>
--
2.14.3

2
sssd.spec
View File

@ -87,6 +87,7 @@ Patch0042: 0042-SDAP-Properly-handle-group-id-collision-when-renamin.patch
Patch0043: 0043-SYSDB_OPS-Error-out-on-id-collision-when-adding-an-i.patch Patch0043: 0043-SYSDB_OPS-Error-out-on-id-collision-when-adding-an-i.patch
Patch0044: 0044-TESTS-Add-an-integration-test-for-renaming-incomplet.patch Patch0044: 0044-TESTS-Add-an-integration-test-for-renaming-incomplet.patch
Patch0045: 0045-SYSDB-sysdb_add_incomplete_group-now-returns-EEXIST-.patch Patch0045: 0045-SYSDB-sysdb_add_incomplete_group-now-returns-EEXIST-.patch
Patch0046: 0046-MAN-Document-which-principal-does-the-AD-provider-us.patch
Patch0502: 0502-SYSTEMD-Use-capabilities.patch Patch0502: 0502-SYSTEMD-Use-capabilities.patch
Patch0503: 0503-Disable-stopping-idle-socket-activated-responders.patch Patch0503: 0503-Disable-stopping-idle-socket-activated-responders.patch
@ -1308,6 +1309,7 @@ fi
list out of bound? list out of bound?
- Resolves: upstream#2653 - Group renaming issue when "id_provider = ldap" is - Resolves: upstream#2653 - Group renaming issue when "id_provider = ldap" is
set. set.
- Document which principal does the AD provider use
* Fri Mar 30 2018 Fabiano Fidêncio <fidencio@fedoraproject.org> - 1.16.1-2 * Fri Mar 30 2018 Fabiano Fidêncio <fidencio@fedoraproject.org> - 1.16.1-2
- Resolves: upstream#3573 - sssd won't show netgroups with blank domain - Resolves: upstream#3573 - sssd won't show netgroups with blank domain