[Freeipa-users] Password-based authentication with AD users does not work
Ronald Wimmer
ronaldw at ronzo.at
Fri Apr 7 07:46:45 UTC 2017
On 2017-04-06 20:50, Sumit Bose wrote:
> On Thu, Apr 06, 2017 at 01:55:02PM +0200, Ronald Wimmer wrote:
>> On 2017-04-06 12:16, Sumit Bose wrote:
>>> On Thu, Apr 06, 2017 at 12:58:32PM +0200, Ronald Wimmer wrote:
>>> [...]
>>>> AD trust:
>>>> mydomain.at (forest root)
>>>> xyz (subdomain -> where myuser resides)
>>>>
>>>> BCC (appearing in krb5_child.log) is not a domain here. It is my company's
>>>> name and might derive from some information in the AD.
>>> Yes, it is about the userPrincipalName attribute read from AD. Which IPA
>>> server version do you use? Since RHEL-7.3 IPA supports those principals
>>> coming from AD. For older versions you should add a workaround which is
>>> e.g. described at the end of
>>> https://www.redhat.com/archives/freeipa-users/2016-November/msg00069.html
>>>
>>> HTH
>>>
>>> bye,
>>> Sumit
>>
>> I am using an up-to-date RHEL 7.3 IPA master. Is there no possibility to
>> override it?
>
> Please check on the server with
>
> ipa trust-find
>
> if the BCC domain is listed as 'UPN suffixes:'. If not please try
>
> ipa trust-fetch-domains
>
> and check again. If the domain is listed then a 7.3 IPA client should be
> able to detect it automatically on older clients you should set
> 'krb5_use_enterprise_principal = True' manually in sssd.conf.
I just checked with our AD guys. ipa trust-find only shows five UPN
suffixes. There are many more which are not shown inlcuding bcc.mydomain.at
Any idea why only a subset is shown?
More information about the Freeipa-users
mailing list