[Freeipa-users] Question about UPN suffixes in AD trust
Alexander Bokovoy
abokovoy at redhat.com
Wed Nov 25 18:51:32 UTC 2015
On Wed, 25 Nov 2015, Giorgio Biacchi wrote:
>Hello list,
>can someone please clarify which configuration steps are needed to make FreeIPA
>aware of additionals UPN suffixes defined on AD?
>
>In my test environment I have a two way trust between the AD (Win 2012 R2) and
>IPA (Fedora 23) servers. On the AD there are 2 UPNs and I need to authenticate
>users with accounts based on those 2 UPNs via IPA against the AD.
>
>I'm using FreeIPA 4.2.3-1 for FC23 but I'm still unable to make it work in this
>scenario although the bug described here
>https://fedorahosted.org/freeipa/ticket/3559 is now fixed.
>
>Thanks in advance for any kind reply.
FreeIPA currently only picks up primary user names (sAMAccountName). To
pull UPNs for trusted domains we need to use a bit different method to
retrieve trust topology information which we were unable to do before
4.2. This is in the plan for 4.4 I think.
The ticket you mentioned is enabler but it needs appropriate information
in the trust topology to compare realms/UPNs.
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list