I'm in an environment with several Active Directory sites, each with a domain controller. When remote sites' DCs are unreachable because of a VPN outage, password authentication is slow or fails. tcpdump shows the system is trying to talk to the other sites' domain controllers, and timing out.
sssd-common installs the locator plugin at /usr/lib/x86_64-linux-gnu/krb5/plugins/krb5/sssd_krb5_locator_plugin.so.
But I can see in strace that Kerberos apps are looking for plugins in /usr/lib/x86_64-linux-gnu/krb5/plugins/libkrb5 instead (libkrb5 vs krb5).
open("/usr/lib/x86_64-linux-gnu/krb5/plugins/libkrb5", O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
As a result, Kerberos doesn't respect SSSD's Active Directory site selection.
As a workaround, if I copy /usr/lib/x86_64-linux-gnu/krb5/plugins/krb5 to /usr/lib/x86_64-linux-gnu/krb5/plugins/libkrb5, site selection works as expected.
Mailing list ref: https://<email address hidden>/thread/UUMFE5T376D3NJLNHQSJZAJCPM35KRED/
Hi,
I'm in an environment with several Active Directory sites, each with a domain controller. When remote sites' DCs are unreachable because of a VPN outage, password authentication is slow or fails. tcpdump shows the system is trying to talk to the other sites' domain controllers, and timing out.
sssd-common installs the locator plugin at /usr/lib/ x86_64- linux-gnu/ krb5/plugins/ krb5/sssd_ krb5_locator_ plugin. so.
But I can see in strace that Kerberos apps are looking for plugins in /usr/lib/ x86_64- linux-gnu/ krb5/plugins/ libkrb5 instead (libkrb5 vs krb5).
open("/ usr/lib/ x86_64- linux-gnu/ krb5/plugins/ libkrb5" , O_RDONLY| O_NONBLOCK| O_DIRECTORY| O_CLOEXEC) = -1 ENOENT (No such file or directory)
As a result, Kerberos doesn't respect SSSD's Active Directory site selection.
As a workaround, if I copy /usr/lib/ x86_64- linux-gnu/ krb5/plugins/ krb5 to /usr/lib/ x86_64- linux-gnu/ krb5/plugins/ libkrb5, site selection works as expected.
Mailing list ref: https://<email address hidden> /thread/ UUMFE5T376D3NJL NHQSJZAJCPM35KR ED/