[Freeipa-users] Password-based authentication with AD users does not work
Ronald Wimmer
ronaldw at ronzo.at
Thu Apr 6 21:26:51 UTC 2017
Zitat von Sumit Bose <sbose at redhat.com>:
> On Thu, Apr 06, 2017 at 01:55:02PM +0200, Ronald Wimmer wrote:
>> On 2017-04-06 12:16, Sumit Bose wrote:
>> > On Thu, Apr 06, 2017 at 12:58:32PM +0200, Ronald Wimmer wrote:
>> > [...]
>> > > AD trust:
>> > > mydomain.at (forest root)
>> > > xyz (subdomain -> where myuser resides)
>> > >
>> > > BCC (appearing in krb5_child.log) is not a domain here. It is
>> my company's
>> > > name and might derive from some information in the AD.
>> > Yes, it is about the userPrincipalName attribute read from AD. Which IPA
>> > server version do you use? Since RHEL-7.3 IPA supports those principals
>> > coming from AD. For older versions you should add a workaround which is
>> > e.g. described at the end of
>> > https://www.redhat.com/archives/freeipa-users/2016-November/msg00069.html
>> >
>> > HTH
>> >
>> > bye,
>> > Sumit
>>
>> I am using an up-to-date RHEL 7.3 IPA master. Is there no possibility to
>> override it?
>
> Please check on the server with
>
> ipa trust-find
>
> if the BCC domain is listed as 'UPN suffixes:'. If not please try
>
> ipa trust-fetch-domains
>
> and check again. If the domain is listed then a 7.3 IPA client should be
> able to detect it automatically on older clients you should set
> 'krb5_use_enterprise_principal = True' manually in sssd.conf.
Unfortunately, ipa trust-find shows some UPN suffixes but BCC is not
in the list.
Any other options left?
More information about the Freeipa-users
mailing list