[Freeipa-users] Password-based authentication with AD users does not work
Sumit Bose
sbose at redhat.com
Thu Apr 6 18:50:49 UTC 2017
On Thu, Apr 06, 2017 at 01:55:02PM +0200, Ronald Wimmer wrote:
> On 2017-04-06 12:16, Sumit Bose wrote:
> > On Thu, Apr 06, 2017 at 12:58:32PM +0200, Ronald Wimmer wrote:
> > [...]
> > > AD trust:
> > > mydomain.at (forest root)
> > > xyz (subdomain -> where myuser resides)
> > >
> > > BCC (appearing in krb5_child.log) is not a domain here. It is my company's
> > > name and might derive from some information in the AD.
> > Yes, it is about the userPrincipalName attribute read from AD. Which IPA
> > server version do you use? Since RHEL-7.3 IPA supports those principals
> > coming from AD. For older versions you should add a workaround which is
> > e.g. described at the end of
> > https://www.redhat.com/archives/freeipa-users/2016-November/msg00069.html
> >
> > HTH
> >
> > bye,
> > Sumit
>
> I am using an up-to-date RHEL 7.3 IPA master. Is there no possibility to
> override it?
Please check on the server with
ipa trust-find
if the BCC domain is listed as 'UPN suffixes:'. If not please try
ipa trust-fetch-domains
and check again. If the domain is listed then a 7.3 IPA client should be
able to detect it automatically on older clients you should set
'krb5_use_enterprise_principal = True' manually in sssd.conf.
HTH
bye,
Sumit
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list