[Freeipa-users] FreeIPA 4.3.0 Kerberos client referrals not working?
Jakub Hrozek
jhrozek at redhat.com
Wed Feb 17 08:31:32 UTC 2016
On Wed, Feb 17, 2016 at 09:13:00AM +0100, Sumit Bose wrote:
> On Tue, Feb 16, 2016 at 10:23:30PM +0000, Nathan Peters wrote:
> > I have created a trust between my FreeIPA domain and an active directory domain. I can get a kerberos ticket properly from the other domain at the command line on the IPA server.
> > I have also created sudo and HBAC rules to allow my AD users to logon to the IPA domain controller using the recommended nested external group setup.
> > However, I can not actually login to the machines.
> >
> > I should note that our AD domain is office.mydomain.net, but we use alternative UPN suffixes so the usernames are user at mydomain.net.
> >
> > I read the patch notes and apparently support for client referrals that will allow alternate UPN suffixes in trusted domains was added in FreeIPA 4.2.1.
>
> While client referrals with the realm derived from the domain name
> already work the UPN support is currently WIP
> (https://fedorahosted.org/freeipa/ticket/5354).
Several users have reported that a workaround of:
subdomain_inherit = ldap_user_principal
ldap_user_principal = phonyattr
solves their issue, but it's just a workaround, not a real solution..
More information about the Freeipa-users
mailing list