[Bug 268186] Kerberos authentication fails with a Linux/FreeIPA KDC
- In reply to: bugzilla-noreply_a_freebsd.org: "[Bug 268186] Kerberos authentication fails with a Linux/FreeIPA KDC"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 07 Dec 2022 16:37:36 UTC
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=268186 --- Comment #13 from Cy Schubert <cy@FreeBSD.org> --- (In reply to Michael Osipov from comment #12) He didn't elaborate. Though in the discussion after the session he did say they wanted to UID-like field in the database (he was probably referring to the SID at the time). At $JOB we've had a lot of problem with translation SID to UID. We've been using winbind (which stores the ticket in memory instead of /tmp) and are converting to sssd. One of my former clients (another guy on the team is working with them now) uses sssd. There have been many issues with logins through ssh. None of which we can fix, all of which are on their side. They're mirroring their A/D using openldap running on Linux. Their sssd uses the openldap servers as their Linux source of truth. This is why their sssd configuration has been so much trouble. Personally, I'm not sure if sssd will work better than winbind. I doubt it but our vendor recommends it, so we will do it. Winbind has been pretty stable now. Having said this, in order to support Linux/Solaris/UNIX clients with A/D one must add some fields to support UNIX UID and GID to A/D. Our main client has refused to do so resulting in a lot of issues at first resulting in many problems 15 years ago. That client had replaced four MIT KRB5 realms (running in a cross realm configuration) with A/D at the time. Also replacing a hierarchical (DNS) namespace with a flat (A/D) namespace (with DNS provided by A/D). We're hoping that sssd may better support A/D that has not been updated to include the recommended fields to support UNIX clients. I'm thinking it won't. -- You are receiving this mail because: You are the assignee for the bug.