[Freeipa-users] ipa- client rhel 6.9 support for UPN different then domain name
Troels Hansen
th at casalogic.dk
Wed Feb 8 11:44:07 UTC 2017
Hi,
Have you tried setting ldap_user_principal to something nonexisting? For example:
ldap_user_principal = nosuchattr
and inherit this to the AD domain with:
subdomain_inherit = ldap_user_principal
Both in the domain section of sssd.
----- On Feb 8, 2017, at 12:17 PM, Jan Karásek jan.karasek at elostech.cz wrote:
> Hi, thank you for help.
>
> I am running RHEL 7.3 on IPA serveres and with RHEL 7.3 clients it works really
> nice.
> Trouble is on RHEL 6 machines. I have tried to add krb5_use_enterprise_principal
> = true into domain section of sssd.conf on RHEL 6 IPA clients but problem still
> persists. Is there anything else that should be set ? I have restarted sssd
> service, both on servers and client, empty sssd_cache and so on but I am still
> unable resolve users(on RHEL 6) with short UPN - id and getent passwd return no
> such user...We still have more servers on RHEL 6 then on RHEL 7.
>
> Thanks,
> Jan
>
>
>> Hi,
>>
>> I just looked into RHEL 6.9 beta repos and I can see there is
>> sssd-client-1.13.3-53.el6.x86_64 version. I would like to know if with rhel 6.9
>> will come support for using different UPN then domain name. I am talking about
>> AD trust scenario where user in AD domain sits in user at subdomain.example.com
>> but has a UPN set to user at example.com. It has been solved in RHEL 7.3 I guess
>> with sssd 1.14. Is ipa-client in RHEL 6.9 able to handle this situation or is
>> there any known workaround ?
>
> This is basically a server side feature. You need an IPA server version
> which is delivered with RHEL-7.3. SSSD 1.14 in 7.3 can automatically
> detect if the server supports this or not. This autodetection was not
> backported to 6.9 but if your servers support it you can set
> 'krb5_use_enterprise_principal = true' (see man sssd-krb5 for details)
> on the IPA clients with older SSSD versions.
>
> HTH
>
> bye,
> Sumit
>
>>
>> Thanks,
>> Jan
>>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
--
Med venlig hilsen
Troels Hansen
Systemkonsulent
Casalogic A/S
T (+45) 70 20 10 63
M (+45) 22 43 71 57
Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og meget mere.
More information about the Freeipa-users
mailing list