From 17ad6c5e1a2b650042e2d367b175c7500eb6452e Mon Sep 17 00:00:00 2001
From: Raphael Dannecker <raphael.dannecker@steinbeisschule-reutlingen.de>
Date: Mon, 17 Nov 2025 12:20:55 +0100
Subject: [PATCH] Prevent login without krb5-ticket on non localhome machines

---
 roles/lmn_sssd/templates/sssd.conf.j2 | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/roles/lmn_sssd/templates/sssd.conf.j2 b/roles/lmn_sssd/templates/sssd.conf.j2
index fef5d02..1591f1d 100644
--- a/roles/lmn_sssd/templates/sssd.conf.j2
+++ b/roles/lmn_sssd/templates/sssd.conf.j2
@@ -9,7 +9,9 @@ ad_domain = {{ domain }}
 id_provider = ad
 access_provider = ad
 use_fully_qualified_names = False
+{% if localhome is defined and localhome %}
 cache_credentials = True
+{% endif %}
 krb5_store_password_if_offline = True
 default_shell = /usr/bin/bash
 # default: # ldap_id_mapping = True