[Freeipa-users] Password-based authentication with AD users does not work

Sumit Bose sbose at redhat.com
Fri Apr 7 08:28:16 UTC 2017 

On Fri, Apr 07, 2017 at 09:46:45AM +0200, Ronald Wimmer wrote:
> On 2017-04-06 20:50, Sumit Bose wrote:
> > On Thu, Apr 06, 2017 at 01:55:02PM +0200, Ronald Wimmer wrote:
> > > On 2017-04-06 12:16, Sumit Bose wrote:
> > > > On Thu, Apr 06, 2017 at 12:58:32PM +0200, Ronald Wimmer wrote:
> > > > [...]
> > > > > AD trust:
> > > > > mydomain.at (forest root)
> > > > > xyz (subdomain -> where myuser resides)
> > > > > 
> > > > > BCC (appearing in krb5_child.log) is not a domain here. It is my company's
> > > > > name and might derive from some information in the AD.
> > > > Yes, it is about the userPrincipalName attribute read from AD. Which IPA
> > > > server version do you use? Since RHEL-7.3 IPA supports those principals
> > > > coming from AD. For older versions you should add a workaround which is
> > > > e.g. described at the end of
> > > > https://www.redhat.com/archives/freeipa-users/2016-November/msg00069.html
> > > > 
> > > > HTH
> > > > 
> > > > bye,
> > > > Sumit
> > > 
> > > I am using an up-to-date RHEL 7.3 IPA master. Is there no possibility to
> > > override it?
> > 
> > Please check on the server with
> > 
> >     ipa trust-find
> > 
> > if the BCC domain is listed as 'UPN suffixes:'. If not please try
> > 
> >     ipa trust-fetch-domains
> > 
> > and check again. If the domain is listed then a 7.3 IPA client should be
> > able to detect it automatically on older clients you should set
> > 'krb5_use_enterprise_principal = True' manually in sssd.conf.
> 
> I just checked with our AD guys. ipa trust-find only shows five UPN
> suffixes. There are many more which are not shown inlcuding bcc.mydomain.at
> 
> Any idea why only a subset is shown?

I'm not aware of any limitation here. Have you tried to run 'ipa
trust-fetch-domains ad.forest.root' to update the list?

If this does not help please add 'log level = 100' to
/usr/share/ipa/smb.conf.empty so that it looks like:

    [global]
    log level = 100

and run trust-fetch-domains again. The debug output can then be found
in /var/log/httpd/error_log. The logs might contain data which should
not be shared publicly, so feel free to send them to me directly.

bye,
Sumit

> 
> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list