Learn more about these different git repos.
Other Git URLs
SSSD attempts to use fqdn$@DOMAIN rather than shorthostname$@DOMAIN. This means it fails to find a usable credential on a machine joined to Active Directory, and is looking for a principal that's very unlikely to exist.
Since 4ee7f39, searching for *$ has been removed, so the short form is never found. As a result, AD configurations that worked prior to this update that don't explicitly set ldap_sasl_authid now fail to find a suitable credential.
Replying to [ticket:1740 prefect]:
Since 4ee7f39, searching for *$ has been removed, so the short form is never found.
This is not entirely correct, the search for *$ has not been removed but rather moved down to the list. I think that makes sense, actually, as the wildcard matches should follow specific matches.
As a result, AD configurations that worked prior to this update that don't explicitly set ldap_sasl_authid now fail to find a suitable credential.
In particular, this is a result of many keytabs also having host/hostname@REALM, which, as it's a specific match gets matched before the wildcard *$@REALM.
Fields changed
owner: somebody => jhrozek status: new => assigned
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=892197
rhbz: => [https://bugzilla.redhat.com/show_bug.cgi?id=892197 892197]
milestone: NEEDS_TRIAGE => SSSD 1.9.4 patch: 0 => 1
Is there a way to set ldap_sasl_authid to something automatically on the upgrade to avoid manual changes?
Replying to [comment:5 dpal]:
There might be, but it's actually easier to fix the code.
resolution: => fixed status: assigned => closed
Metadata Update from @prefect: - Issue assigned to jhrozek - Issue set to the milestone: SSSD 1.9.4
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/2782
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.