[Freeipa-users] ipa- client rhel 6.9 support for UPN different then domain name

Troels Hansen th at casalogic.dk
Wed Feb 8 11:44:07 UTC 2017 

Hi, 

Have you tried setting ldap_user_principal to something nonexisting? For example:

ldap_user_principal = nosuchattr

and inherit this to the AD domain with:

subdomain_inherit = ldap_user_principal

Both in the domain section of sssd.

----- On Feb 8, 2017, at 12:17 PM, Jan Karásek jan.karasek at elostech.cz wrote:

> Hi, thank you for help.
> 
> I am running RHEL 7.3 on IPA serveres and with RHEL 7.3 clients it works really
> nice.
> Trouble is on RHEL 6 machines. I have tried to add krb5_use_enterprise_principal
> = true into domain section of sssd.conf on RHEL 6 IPA clients but problem still
> persists. Is there anything else that should be set ?  I have restarted sssd
> service, both on servers and client, empty sssd_cache and so on but I am still
> unable resolve users(on RHEL 6) with short UPN - id and getent passwd return no
> such user...We still have more servers on RHEL 6 then on RHEL 7.
> 
> Thanks,
> Jan
> 
> 
>> Hi,
>> 
>> I just looked into RHEL 6.9 beta repos and I can see there is
>> sssd-client-1.13.3-53.el6.x86_64 version. I would like to know if with rhel 6.9
>> will come support for using different UPN then domain name. I am talking about
>> AD trust scenario where user in AD domain sits in user at subdomain.example.com
>> but has a UPN set to user at example.com. It has been solved in RHEL 7.3 I guess
>> with sssd 1.14. Is ipa-client in RHEL 6.9 able to handle this situation or is
>> there any known workaround ?
> 
> This is basically a server side feature. You need an IPA server version
> which is delivered with RHEL-7.3. SSSD 1.14 in 7.3 can automatically
> detect if the server supports this or not. This autodetection was not
> backported to 6.9 but if your servers support it you can set
> 'krb5_use_enterprise_principal = true' (see man sssd-krb5 for details)
> on the IPA clients with older SSSD versions.
> 
> HTH
> 
> bye,
> Sumit
> 
>> 
>> Thanks,
>> Jan
>> 
> 
> 
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

-- 
Med venlig hilsen 

Troels Hansen 

Systemkonsulent 

Casalogic A/S 


T (+45) 70 20 10 63 

M (+45) 22 43 71 57 

Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og meget mere.

More information about the Freeipa-users mailing list