Commit 91d1e4c MAN: Document which principal does the AD provider use

1 file Authored by jhrozek 4 months ago , Committed by fidencio 4 months ago ,
MAN: Document which principal does the AD provider use

Administrators are often confused by the difference between what
principal is used to authenticate to AD. Let's document that.

Reviewed-by: Pavel Březina <pbrezina@redhat.com>

    
 1 @@ -58,6 +58,22 @@
 2                       ldap_use_tokengroups = true
 3                   </para>
 4               </listitem>
 5 +             <listitem>
 6 +                 <para>
 7 +                     ldap_sasl_authid = sAMAccountName@REALM (typically SHORTNAME$@REALM)
 8 +                 </para>
 9 +                 <para>
10 +                     The AD provider looks for a different principal than the
11 +                     LDAP provider by default, because in an Active Directory
12 +                     environment the principals are divided into two groups
13 +                     - User Principals and Service Principals. Only User
14 +                     Principal can be used to obtain a TGT and by default,
15 +                     computer object's principal is constructed from
16 +                     its sAMAccountName and the AD realm. The well-known
17 +                     host/hostname@REALM principal is a Service Principal
18 +                     and thus cannot be used to get a TGT with.
19 +                 </para>
20 +             </listitem>
21           </itemizedlist>
22       </refsect2>
23   </refsect1>