On clean installed centos-7 host:
realm join -U foo --client-software sssd AD.EXAMPLE.COM
After running realm list output looks initially like this:
AD.EXAMPLE.COM
type: kerberos
realm-name: AD.EXAMPLE.COM
domain-name: ad.example.com
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common
login-formats: %U@ad.example.com
login-policy: allow-realm-logins
Showing me that I joined an active directory with sssd as I had intended.
Later on (not sure what triggers or it … a system reboot guarantees it, but other things seem to as well — maybe a samba restart?), the realm list output changes to this
ad.example.com
type: kerberos
realm-name: AD.EXAMPLE.COM
domain-name: ad.example.com
configured: kerberos-member
server-software: active-directory
client-software: winbind
required-package: oddjob-mkhomedir
required-package: oddjob
required-package: samba-winbind-clients
required-package: samba-winbind
required-package: samba-common
login-formats: AD\%U
login-policy: allow-any-login
AD.EXAMPLE.COM
type: kerberos
realm-name: AD.EXAMPLE.COM
domain-name: ad.example.com
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common
login-formats: %U@ad.example.com
login-policy: allow-realm-logins
How did I become joined to the same domain via both mechanisms? Is there a way I can NOT have this happen? Or is this somehow needed behavior?
Best Answer
I know I'm not answering your question per se, but maybe this would be helpful as well -- as long as only sss is configured in nsswitch.conf and only pam_sss.so is configured in the PAM configuration, then only SSSD's entry points would be used..