stonith · August 29, 2015 14:10
diff --git a/sssd.conf b/sssd.conf
 [sssd]
 config_file_version = 2
 domains = test.local
 services = nss, pam
 debug_level = 0
 reconnection_retries = 3

 [nss]
 filter_groups = root
 filter_users = root
 reconnection_retries = 3

 [pam]
 reconnection_retries = 3

 [domain/test.local]
 debug_level = 6
 # Unless you know you need referrals, turn them off
 ldap_referrals = false
 # Uncomment if you need offline logins
 cache_credentials = true
 enumerate = false

 id_provider = ldap
 auth_provider = krb5
 chpass_provider = krb5
 access_provider = ldap

 # Uncomment if service discovery is not working
 #ldap_uri = ldap://host.test.local
 #ldap_tls_reqcert = demand
 #ldap_tls_cacert = /etc/ssl/certs/ca-bundle.crt

 # Comment out if not using SASL/GSSAPI to bind
 #ldap_sasl_mech = GSSAPI
 # Uncomment and adjust if the default principal host/fqdn@REALM is not available
 #ldap_sasl_authid = nfs/[email protected]

 # Define these only if anonymous binds are not allowed and no keytab is available
 # Enabling use_start_tls is very important, otherwise the bind password is transmitted
 # over the network in the clear
 #ldap_id_use_start_tls = True
 ldap_default_bind_dn = CN=Bind User,CN=Users,DC=test,DC=local
 ldap_default_authtok_type = password
 ldap_default_authtok = ***********

 ldap_id_mapping = True
 ldap_schema = AD

 ldap_user_search_base = CN=Users,DC=test,DC=local
 ldap_user_object_class = user

 override_homedir=/home/%d/%u
 default_shell=/bin/bash
 ldap_user_principal = userPrincipalName

 #ldap_group_search_base = CN=Users,DC=test,DC=local
 #ldap_group_object_class = group

 ldap_access_order = expire
 ldap_account_expire_policy = ad
 ldap_force_upper_case_realm = true

 # Uncomment if dns discovery of your AD servers isn't working.
 #krb5_server = server.ad.example.com
 krb5_realm = TEST.LOCAL
 krb5_use_enterprise_principal = true

 # Probably required with sssd 1.8.x and newer
 krb5_canonicalize = false
	[sssd]
	config_file_version = 2
	domains = test.local
	services = nss, pam
	debug_level = 0
	reconnection_retries = 3

	[nss]
	filter_groups = root
	filter_users = root
	reconnection_retries = 3

	[pam]
	reconnection_retries = 3

	[domain/test.local]
	debug_level = 6
	# Unless you know you need referrals, turn them off
	ldap_referrals = false
	# Uncomment if you need offline logins
	cache_credentials = true
	enumerate = false

	id_provider = ldap
	auth_provider = krb5
	chpass_provider = krb5
	access_provider = ldap

	# Uncomment if service discovery is not working
	#ldap_uri = ldap://host.test.local
	#ldap_tls_reqcert = demand
	#ldap_tls_cacert = /etc/ssl/certs/ca-bundle.crt

	# Comment out if not using SASL/GSSAPI to bind
	#ldap_sasl_mech = GSSAPI
	# Uncomment and adjust if the default principal host/fqdn@REALM is not available
	#ldap_sasl_authid = nfs/[email protected]

	# Define these only if anonymous binds are not allowed and no keytab is available
	# Enabling use_start_tls is very important, otherwise the bind password is transmitted
	# over the network in the clear
	#ldap_id_use_start_tls = True
	ldap_default_bind_dn = CN=Bind User,CN=Users,DC=test,DC=local
	ldap_default_authtok_type = password
	ldap_default_authtok = ***********

	ldap_id_mapping = True
	ldap_schema = AD

	ldap_user_search_base = CN=Users,DC=test,DC=local
	ldap_user_object_class = user

	override_homedir=/home/%d/%u
	default_shell=/bin/bash
	ldap_user_principal = userPrincipalName

	#ldap_group_search_base = CN=Users,DC=test,DC=local
	#ldap_group_object_class = group

	ldap_access_order = expire
	ldap_account_expire_policy = ad
	ldap_force_upper_case_realm = true

	# Uncomment if dns discovery of your AD servers isn't working.
	#krb5_server = server.ad.example.com
	krb5_realm = TEST.LOCAL
	krb5_use_enterprise_principal = true

	# Probably required with sssd 1.8.x and newer
	krb5_canonicalize = false