[Bug 268186] Kerberos authentication fails with a Linux/FreeIPA KDC

From: <bugzilla-noreply_at_freebsd.org>
Date: Wed, 07 Dec 2022 16:37:36 UTC

--- Comment #13 from Cy Schubert <cy@FreeBSD.org> ---
(In reply to Michael Osipov from comment #12)
He didn't elaborate. Though in the discussion after the session he did say they
wanted to UID-like field in the database (he was probably referring to the SID
at the time).

At $JOB we've had a lot of problem with translation SID to UID. We've been
using winbind (which stores the ticket in memory instead of /tmp) and are
converting to sssd.

One of my former clients (another guy on the team is working with them now)
uses sssd. There have been many issues with logins through ssh. None of which
we can fix, all of which are on their side. They're mirroring their A/D using
openldap running on Linux. Their sssd uses the openldap servers as their Linux
source of truth. This is why their sssd configuration has been so much trouble.

Personally, I'm not sure if sssd will work better than winbind. I doubt it but
our vendor recommends it, so we will do it. Winbind has been pretty stable now.

Having said this, in order to support Linux/Solaris/UNIX clients with A/D one
must add some fields to support UNIX UID and GID to A/D. Our main client has
refused to do so resulting in a lot of issues at first resulting in many
problems 15 years ago. That client had replaced four MIT KRB5 realms (running
in a cross realm configuration) with A/D at the time. Also replacing a
hierarchical (DNS) namespace with a flat (A/D) namespace (with DNS provided by

We're hoping that sssd may better support A/D that has not been updated to
include the recommended fields to support UNIX clients. I'm thinking it won't.

You are receiving this mail because:
You are the assignee for the bug.