What were you trying to do that didn't work?

When a client is joined to AD or IPA, SSSD should automatically create the Kerberos localauth configuration snippet at:
 

/var/lib/sss/pubconf/krb5.include.d/localauth_plugin 

This file is expected to contain the directive:

disable = an2ln 

What is the impact of this issue to you?

The missing disable = an2ln directive may cause incorrect Kerberos principal mappings and confusion due to outdated documentation.

Please provide the package NVR for which the bug is seen:

1. rpm -qa sssd
   sssd-2.9.7-4.el9_7.1.x86_64

   How reproducible is this bug?:

Alaways

Steps to reproduce

1. Join a client to AD or IPA.

1. Verify the generated file:

   cat /var/lib/sss/pubconf/krb5.include.d/localauth_plugin 

    

2. Observe that the line disable = an2ln is missing in  sssd_krb5_localauth_plugin man page

Expected results

The file /var/lib/sss/pubconf/krb5.include.d/localauth_plugin should include disable = an2ln.

Actual results

The generated configuration snippet does not include disable = an2ln.