Comment 0 for bug 1664566

Revision history for this message
Michael Smith (mzs) wrote :

Hi,

I'm in an environment with several Active Directory sites, each with a domain controller. When remote sites' DCs are unreachable because of a VPN outage, password authentication is slow or fails. tcpdump shows the system is trying to talk to the other sites' domain controllers, and timing out.

sssd-common installs the locator plugin at /usr/lib/x86_64-linux-gnu/krb5/plugins/krb5/sssd_krb5_locator_plugin.so.

But I can see in strace that Kerberos apps are looking for plugins in /usr/lib/x86_64-linux-gnu/krb5/plugins/libkrb5 instead (libkrb5 vs krb5).

open("/usr/lib/x86_64-linux-gnu/krb5/plugins/libkrb5", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = -1 ENOENT (No such file or directory)

As a result, Kerberos doesn't respect SSSD's Active Directory site selection.

As a workaround, if I copy /usr/lib/x86_64-linux-gnu/krb5/plugins/krb5 to /usr/lib/x86_64-linux-gnu/krb5/plugins/libkrb5, site selection works as expected.

Mailing list ref: https://<email address hidden>/thread/UUMFE5T376D3NJLNHQSJZAJCPM35KRED/