From 91d1e4c134b7c90abd2ff86b313175c542cd834c Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Apr 25 2018 05:33:28 +0000
Subject: MAN: Document which principal does the AD provider use


Administrators are often confused by the difference between what
principal is used to authenticate to AD. Let's document that.

Reviewed-by: Pavel Březina <pbrezina@redhat.com>

---

diff --git a/src/man/include/ad_modified_defaults.xml b/src/man/include/ad_modified_defaults.xml
index c41b454..818a2bf 100644
--- a/src/man/include/ad_modified_defaults.xml
+++ b/src/man/include/ad_modified_defaults.xml
@@ -58,6 +58,22 @@
                     ldap_use_tokengroups = true
                 </para>
             </listitem>
+            <listitem>
+                <para>
+                    ldap_sasl_authid = sAMAccountName@REALM (typically SHORTNAME$@REALM)
+                </para>
+                <para>
+                    The AD provider looks for a different principal than the
+                    LDAP provider by default, because in an Active Directory
+                    environment the principals are divided into two groups
+                    - User Principals and Service Principals. Only User
+                    Principal can be used to obtain a TGT and by default,
+                    computer object's principal is constructed from
+                    its sAMAccountName and the AD realm. The well-known
+                    host/hostname@REALM principal is a Service Principal
+                    and thus cannot be used to get a TGT with.
+                </para>
+            </listitem>
         </itemizedlist>
     </refsect2>
 </refsect1>