[Freeipa-users] UPN suffixes in AD trust

Giorgio Biacchi giorgio at di.unimi.it
Thu Jun 25 11:06:22 UTC 2015 

On 06/25/2015 12:56 PM, Sumit Bose wrote:
> On Thu, Jun 25, 2015 at 12:22:16PM +0200, Giorgio Biacchi wrote:
>> On 06/24/2015 06:45 PM, Sumit Bose wrote:
>>> On Wed, Jun 24, 2015 at 05:11:07PM +0200, Giorgio Biacchi wrote:
>>>> Hi everybody,
>>>> I established a bidirectional trust between an IPA server (version 4.1.0 on
>>>> CentOS 7.1), ipa.mydomain.local and an AD (Windows 2012 r2), mydomain.local.
>>>> Everything is working fine, and I'm able to authenticate and logon on a linux
>>>> host joined to IPA server using AD credentials (username at mydomain.local).
>>>> But active directory is configured with two more UPN suffixes (otherdomain.com
>>>> and sub.otherdomain.com), and I cannot logon with credentials using alternative
>>>> UPN (example: john.doe at otherdomain.com).
>>>>
>>>> How can I make this possible? Another trust (ipa trust-add) with the same AD?
>>>> Manual configuration of krb5 and/or sssd?
>>>
>>> Have you tried to login to an IPA client or the server? Please try with
>>> an IPA server first. If this does not work it would be nice if you can
>>> send the SSSD log files from the IPA server which are generated during
>>> the logon attempt. Please call 'sss_cache -E' before to invalidate all
>>> cached entries so that the logs will contain all needed calls to AD.
>>>
>>> Using UPN suffixes were added to the AD provider some time ago and the
>>> code is available in the IPA provider as well, but I guess no one has
>>> actually tried this before.
>>>
>>> bye,
>>> Sumit
>>
>> First of all let me say that i feel like I'm missing some config somewhere..
>> Changes tried in krb5.conf to support UPN suffixes didn't helped.
>> I can only access the server vi ssh so I've attached the logs for a successful
>> login for account1 at mydomain.local and an unsuccessful login for
>> account2 at otherdomain.com done via ssh.
>>
>> Bye and thanks for your help
>>
> 
> It looks like the request is not properly propagated to sub-domains (the
> trusted AD domain) but only send to the IPA domain.
> 
> Would it be possible for you to run a test build of SSSD which might fix
> this? If yes, which version of SSSD are you currently using? Then I can
> prepare a test build with the patch on top of this version.
> 
> bye,
> Sumit
> 

Hi,
I'm using sssd 1.12.2 (sssd --version) on CentOS 7.1.1503 and I'm available for
any test.

Here's the packages version for sssd:

sssd-common-1.12.2-58.el7_1.6.x86_64
sssd-krb5-1.12.2-58.el7_1.6.x86_64
python-sssdconfig-1.12.2-58.el7_1.6.noarch
sssd-krb5-common-1.12.2-58.el7_1.6.x86_64
sssd-ipa-1.12.2-58.el7_1.6.x86_64
sssd-1.12.2-58.el7_1.6.x86_64
sssd-libwbclient-1.12.2-58.el7_1.6.x86_64
sssd-ad-1.12.2-58.el7_1.6.x86_64
sssd-ldap-1.12.2-58.el7_1.6.x86_64
sssd-common-pac-1.12.2-58.el7_1.6.x86_64
sssd-proxy-1.12.2-58.el7_1.6.x86_64
sssd-client-1.12.2-58.el7_1.6.x86_64

Thanks again
-- 
gb

PGP Key: http://pgp.mit.edu/
Primary key fingerprint: C510 0765 943E EBED A4F2 69D3 16CC DC90 B9CB 0F34

More information about the Freeipa-users mailing list