On Thu, 30 Jan 2014, Bob Marcan wrote: > Please post sssd.conf. OK, here it is. Note that we're using service discovery to locate the DC's, which avoids having to hard-code the DC host names. This particular sssd.conf was from a machine called nebula, and europa.icse.cornell.edu is the domain (and realm) name. [sssd] config_file_version = 2 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam domains = LOCAL, EUROPA [nss] filter_groups = root filter_users = root reconnection_retries = 3 [pam] reconnection_retries = 3 pam_pwd_expiration_warning = 7 [domain/LOCAL] description = Local Users domain id_provider = local enumerate = false min_id = 400 max_id = 499 [domain/EUROPA] description = EUROPA Environment id_provider = ldap auth_provider = krb5 chpass_provider = krb5 enumerate = false min_id = 1000 max_id = 59999 dns_discovery_domain = europa.icse.cornell.edu ldap_sasl_mech = GSSAPI ldap_sasl_authid = HOST/nebula.icse.cornell.edu at EUROPA.ICSE.CORNELL.EDU ldap_search_base = DC=europa,DC=icse,DC=cornell,DC=edu ldap_id_use_start_tls = false ldap_tls_reqcert = never ldap_tls_cacertdir = /etc/openldap/cacerts ldap_schema = rfc2307bis ldap_referrals = false ldap_force_upper_case_realm = true ldap_access_order = expire ldap_account_expire_policy = ad ldap_sasl_canonicalize = false ldap_user_search_base = CN=users,DC=europa,DC=icse,DC=cornell,DC=edu ldap_user_object_class = person ldap_user_name = sAMAccountName ldap_user_fullname = displayName ldap_user_gecos = displayName ldap_user_uid_number = uidNumber ldap_user_gid_number = gidNumber ldap_user_home_directory = unixHomeDirectory ldap_user_shell = loginShell ldap_user_principal = userPrincipalName ldap_user_modify_timestamp = whenChanged ldap_group_search_base = CN=users,DC=europa,DC=icse,DC=cornell,DC=edu ldap_group_object_class = group ldap_group_name = sAMAccountName ldap_group_gid_number = gidNumber ldap_group_modify_timestamp = whenChanged ldap_group_nesting_level = 2 krb5_server = europa.icse.cornell.edu krb5_kpasswd = europa.icse.cornell.edu krb5_realm = EUROPA.ICSE.CORNELL.EDU krb5_ccachedir = /tmp krb5_ccname_template = FILE:%d/krb5cc_%U_XXXXXX krb5_auth_timeout = 15 -Steve