[Freeipa-users] ipa- client rhel 6.9 support for UPN different then domain name
Sumit Bose
sbose at redhat.com
Wed Feb 8 12:13:41 UTC 2017
On Wed, Feb 08, 2017 at 12:44:07PM +0100, Troels Hansen wrote:
> Hi,
>
> Have you tried setting ldap_user_principal to something nonexisting? For example:
>
> ldap_user_principal = nosuchattr
>
> and inherit this to the AD domain with:
>
> subdomain_inherit = ldap_user_principal
>
> Both in the domain section of sssd.
Enterprise principals are supported by IPA since RHEL 7.3, so this
work-around for older versions should not be needed anymore.
>
> ----- On Feb 8, 2017, at 12:17 PM, Jan Karásek jan.karasek at elostech.cz wrote:
>
> > Hi, thank you for help.
> >
> > I am running RHEL 7.3 on IPA serveres and with RHEL 7.3 clients it works really
> > nice.
> > Trouble is on RHEL 6 machines. I have tried to add krb5_use_enterprise_principal
> > = true into domain section of sssd.conf on RHEL 6 IPA clients but problem still
> > persists. Is there anything else that should be set ? I have restarted sssd
> > service, both on servers and client, empty sssd_cache and so on but I am still
> > unable resolve users(on RHEL 6) with short UPN - id and getent passwd return no
> > such user...We still have more servers on RHEL 6 then on RHEL 7.
SSSD logs from a RHEL 6 client which includes a failing user lookup are
needed to see why it is still failing, see
https://fedorahosted.org/sssd/wiki/Troubleshooting for details.
bye,
Sumit
> >
> > Thanks,
> > Jan
> >
> >
> >> Hi,
> >>
> >> I just looked into RHEL 6.9 beta repos and I can see there is
> >> sssd-client-1.13.3-53.el6.x86_64 version. I would like to know if with rhel 6.9
> >> will come support for using different UPN then domain name. I am talking about
> >> AD trust scenario where user in AD domain sits in user at subdomain.example.com
> >> but has a UPN set to user at example.com. It has been solved in RHEL 7.3 I guess
> >> with sssd 1.14. Is ipa-client in RHEL 6.9 able to handle this situation or is
> >> there any known workaround ?
> >
> > This is basically a server side feature. You need an IPA server version
> > which is delivered with RHEL-7.3. SSSD 1.14 in 7.3 can automatically
> > detect if the server supports this or not. This autodetection was not
> > backported to 6.9 but if your servers support it you can set
> > 'krb5_use_enterprise_principal = true' (see man sssd-krb5 for details)
> > on the IPA clients with older SSSD versions.
> >
> > HTH
> >
> > bye,
> > Sumit
> >
> >>
> >> Thanks,
> >> Jan
> >>
> >
> >
> > --
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
>
> --
> Med venlig hilsen
>
> Troels Hansen
>
> Systemkonsulent
>
> Casalogic A/S
>
>
> T (+45) 70 20 10 63
>
> M (+45) 22 43 71 57
>
> Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og meget mere.
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list