On Thu, Jul 07, 2016 at 01:31:03PM +0200, Petr Vobornik wrote: > On 07/06/2016 07:01 PM, Sumit Bose wrote: > > Hi, > > > > although enterprise principals for trusted domains now are working as > > expected they do not work for the local domain: > > > > # kinit -E admin@IPA.DEVEL > > kinit: Client 'admin\@IPA.DEVEL@IPA.DEVEL' not found in Kerberos > > database while getting initial credentials > > > > Attached patch handles this case. It is not that nice because of the > > duplication of ipadb_fetch_principals() and ipadb_find_principal(). But > > I think there was a reason I do not remember why we didn't check for > > enterprise principals before checking the local database. If there is no > > such reason it might make sense to check for enterprise principals > > before doing the lookup. Please let me know if I should change the patch > > accordingly or if the current version is ok, > > > > bye, > > Sumit > > > > Hi Sumit, > > thanks for the patch. This patch should have a ticket. It will help > downstream planning.
sure, I created https://fedorahosted.org/freeipa/ticket/6036. Please clone it to suitable downstream tickets. Please note that we didn't released a patch for SSSD to enable enterprise principals automatically if the IPA server (should) support them because of this issues. Since 4.4.0 is already released I think we have to wait on the SSSD side until a new FreeIPA version with a fix is released. bye, Sumit > > -- > Petr Vobornik -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code