Red Hat Enterprise Linux Server release 7.3

When looking at entries in the "cn=groups,cn=compat" tree, I noticed that
the entries for windows groups have the realm portion of the group name in
all caps.  This is true for the comment, the dn and the cn.
# domain, groups, compat,
dn: cn=domain
cn: domain

When I look at the entries in the "cn=users,cn=compat" tree, the realm
portion of the user name is all lower case.  Incidentally, these same user
names are also all lowercase in the "memberUid" option on the groups above.
#, users, compat,
homeDirectory: /home/

Was this by design ?

The reason I ask, is that when I try to use the "kinit" feature on our
Solaris 10 systems (which is joined to the IPA domain) for this windows
user, I get an error.

[~]$ kinit
Password for
kinit(v5): KDC reply did not match expectations while getting initial

If I run it like this:
[~]$ kinit
Password for
[~]$ klist
Ticket cache: FILE:/tmp/krb5cc_1683378846
Default principal:

Valid starting                Expires                Service principal
05/30/17 11:44:35  05/30/17 21:44:40  krbtgt/
        renew until 06/06/17 11:44:35

I believe this is due to the fact that the Solaris 10 system is using the
lowercase entry in the compat tree above.  Here is the result of the ID
command on this user:
[~]$ id
uid=1683378846( gid=1683378846(

I know this is a work around but I would prefer to make this easier on the
end users.  Any suggestions ?

Robert Johnson
FreeIPA-users mailing list --
To unsubscribe send an email to

Reply via email to