rpms / sssd

Clone
Source Code
GIT

Blame 0046-MAN-Document-which-principal-does-the-AD-provider-us.patch

el5 f11 f12 f13 f14 f15 f16 f17 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f32 f33 f34 f35 f36 f37 f38 f39 f40 main rawhide
  1.   5f75f7e4f25f4844
  2.   0046-MAN-Document-which-principal-does-the-AD-provider-us.patch
Blob History Raw
Fabiano Fidêncio b6696d9 
From 549a960554f44e79d74c65d9f889ccaef497b11d Mon Sep 17 00:00:00 2001
Fabiano Fidêncio b6696d9 
From: Jakub Hrozek <jhrozek@redhat.com>
Fabiano Fidêncio b6696d9 
Date: Thu, 19 Apr 2018 09:38:47 +0200
Fabiano Fidêncio b6696d9 
Subject: [PATCH] MAN: Document which principal does the AD provider use
Fabiano Fidêncio b6696d9 
MIME-Version: 1.0
Fabiano Fidêncio b6696d9 
Content-Type: text/plain; charset=UTF-8
Fabiano Fidêncio b6696d9 
Content-Transfer-Encoding: 8bit
Fabiano Fidêncio b6696d9
Fabiano Fidêncio b6696d9 
Administrators are often confused by the difference between what
Fabiano Fidêncio b6696d9 
principal is used to authenticate to AD. Let's document that.
Fabiano Fidêncio b6696d9
Fabiano Fidêncio b6696d9 
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
Fabiano Fidêncio b6696d9 
(cherry picked from commit 91d1e4c134b7c90abd2ff86b313175c542cd834c)
Fabiano Fidêncio b6696d9 
---
Fabiano Fidêncio b6696d9 
 src/man/include/ad_modified_defaults.xml | 16 ++++++++++++++++
Fabiano Fidêncio b6696d9 
 1 file changed, 16 insertions(+)
Fabiano Fidêncio b6696d9
Fabiano Fidêncio b6696d9 
diff --git a/src/man/include/ad_modified_defaults.xml b/src/man/include/ad_modified_defaults.xml
Fabiano Fidêncio b6696d9 
index c41b454f8..818a2bf78 100644
Fabiano Fidêncio b6696d9 
--- a/src/man/include/ad_modified_defaults.xml
Fabiano Fidêncio b6696d9 
+++ b/src/man/include/ad_modified_defaults.xml
Fabiano Fidêncio b6696d9 
@@ -58,6 +58,22 @@
Fabiano Fidêncio b6696d9 
                     ldap_use_tokengroups = true
Fabiano Fidêncio b6696d9 
                 </para>
Fabiano Fidêncio b6696d9 
             </listitem>
Fabiano Fidêncio b6696d9 
+            <listitem>
Fabiano Fidêncio b6696d9 
+                <para>
Fabiano Fidêncio b6696d9 
+                    ldap_sasl_authid = sAMAccountName@REALM (typically SHORTNAME$@REALM)
Fabiano Fidêncio b6696d9 
+                </para>
Fabiano Fidêncio b6696d9 
+                <para>
Fabiano Fidêncio b6696d9 
+                    The AD provider looks for a different principal than the
Fabiano Fidêncio b6696d9 
+                    LDAP provider by default, because in an Active Directory
Fabiano Fidêncio b6696d9 
+                    environment the principals are divided into two groups
Fabiano Fidêncio b6696d9 
+                    - User Principals and Service Principals. Only User
Fabiano Fidêncio b6696d9 
+                    Principal can be used to obtain a TGT and by default,
Fabiano Fidêncio b6696d9 
+                    computer object's principal is constructed from
Fabiano Fidêncio b6696d9 
+                    its sAMAccountName and the AD realm. The well-known
Fabiano Fidêncio b6696d9 
+                    host/hostname@REALM principal is a Service Principal
Fabiano Fidêncio b6696d9 
+                    and thus cannot be used to get a TGT with.
Fabiano Fidêncio b6696d9 
+                </para>
Fabiano Fidêncio b6696d9 
+            </listitem>
Fabiano Fidêncio b6696d9 
         </itemizedlist>
Fabiano Fidêncio b6696d9 
     </refsect2>
Fabiano Fidêncio b6696d9 
 </refsect1>
Fabiano Fidêncio b6696d9 
--
Fabiano Fidêncio b6696d9 
2.14.3
Fabiano Fidêncio b6696d9
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.