[Freeipa-users] Fwd: AD trust and UPN issue

[Jakub Hrozek]

On Tue, May 10, 2016 at 02:17:07PM +0200, Jan Karásek wrote:
> Hi all, 
> I have lab environment with IPA server and trust to Active directory. 
> IPA server is in a.example.com. 
> AD DC is in example.com. 
> We have also child AD subdomain ext.examle.com. 
> Everything is fine until the users in AD domain ext.example.com gets the UPN suffix of the root AD domain - example.com - which is pretty common scenario. 
> Example: 
> user at ext.examaple.com is set in AD with UPN user at example.com 
> 
> In this situation I am not able to login into my linux box with user at example.com 
> I have seen some open tickets on this issue 3559 and others, and they are marked as fixed in IPA 4.2 ... but I not sure if its already fixed in current packages. 
> Currently I am testing on RHEL7 with ipa-server-4.2.0-15.el7_2.6.1.x86_64 and the same situation is on Fedora 23 with freeipa-server-4.2.4-1.fc23.x86_64. 
> I have default settings - no changes in krb5.conf and sssd.conf after ipa trust-add. 
> Also I have found the workaround to set in krb5.conf (see topic: Cannot find KDC for realm "MYDOMAIN.NET" - AD trust and UPN issues in RH archive ) - add another realm just with EXT.EXAMPLE.COM = { kdc = ad.ext.example.com:88 } - but no effect. 
> Could you please confirm, that its possible to use IPA with different UPN suffix for users in AD than the domain name in which they are exists ? Is there any additional configuration needed to fix this scenario ? 

In general no, not until 7.3. But it might work with a workaround. Can
you try setting:
    ldap_user_principal = nosuchattr
    subdomain_inherit = ldap_user_principal
in sssd.conf's domain section on the server? (Yes, server, not client..)

This should work without the workaround starting with 7.3..