On ti, 30 touko 2017, Robert Johnson via FreeIPA-users wrote:
Red Hat Enterprise Linux Server release 7.3

When looking at entries in the "cn=groups,cn=compat" tree, I noticed that
the entries for windows groups have the realm portion of the group name in
all caps.  This is true for the comment, the dn and the cn.
# domain us...@win.mydomain.com, groups, compat, ipa.mydomain.com
dn: cn=domain us...@win.mydomain.com
memberUid: 123...@win.mydomain.com
cn: domain us...@win.mydomain.com

When I look at the entries in the "cn=users,cn=compat" tree, the realm
portion of the user name is all lower case.  Incidentally, these same user
names are also all lowercase in the "memberUid" option on the groups above.
# 123...@win.mydomain.com, users, compat, ipa.mydomain.com
dn: uid=123...@win.mydomain.com,cn=users,cn=compat,dc=ipa,dc=mydomain,dc=com
homeDirectory: /home/win.mydomain.com/123456
uid: 123...@win.mydomain.com

Was this by design ?
Users and groups for AD users are inserted into the compat tree on
demand, when a request comes mentioning them via LDAP query. The name is
taken from the LDAP query.

So it is your application(s) that are asking fully qualified user/group
names with domain part capitalized.

The reason I ask, is that when I try to use the "kinit" feature on our
Solaris 10 systems (which is joined to the IPA domain) for this windows
user, I get an error.

[~]$ kinit
Password for 123...@win.mydomain.com:
kinit(v5): KDC reply did not match expectations while getting initial

If I run it like this:
[~]$ kinit 123...@win.mydomain.com
Password for 123...@win.mydomain.com:
[~]$ klist
Ticket cache: FILE:/tmp/krb5cc_1683378846
Default principal: 123...@win.mydomain.com

Valid starting                Expires                Service principal
05/30/17 11:44:35  05/30/17 21:44:40  krbtgt/
       renew until 06/06/17 11:44:35

I believe this is due to the fact that the Solaris 10 system is using the
lowercase entry in the compat tree above.  Here is the result of the ID
command on this user:
[~]$ id
uid=1683378846(123...@win.mydomain.com) gid=1683378846(

I know this is a work around but I would prefer to make this easier on the
end users.  Any suggestions ?
You mix up Kerberos principals and user identities. They are different.
In Kerberos protocol realm is case-sensitive. WIN.MYDOMAIN.COM is not
the same realm as win.mydomain.com. On Active Directory side this is
hidden behind the Windows UI facade but on UNIX systems Kerberos
libraries aren't hiding this fact.

That's why you get "KDC reply did not match expectations .." error
message -- a realm name is used as part of Kerberos exchange and it is
expected to be all upper cases.

On identity front you have probably configured your Solaris systems to
look up identities with upper cased fqdn and compat tree plugin inserts
those as it is. I certainly don't see this behavior with other systems.

/ Alexander Bokovoy
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to