So I took a brand new user that I have never used in the system before (I
checked that the entry was not in the compat tree) and just ran an "id"
command on Solaris system.  I then looked in the /var/log/dirsrv/slapd-<ipa
domain>/access log file on the ipa server, for the query and from the log
file, the query came in as all caps.

[~]$: id

[~]$: cat /var/log/dirsrv/slapd-<ipa domain>/access |grep 831413
[30/May/2017:13:34:38.637498942 -0400] conn=94124 op=622 SRCH
base="cn=users,cn=compat,dc=ipa,dc=mydomain,dc=com" scope=1
attrs="cn uid uidNumber gidNumber gecos description homeDirectory
[30/May/2017:13:34:38.651811322 -0400] conn=94124 op=622 RESULT err=0
tag=101 nentries=1 etime=0

However, the entry in the compat tree is all lowercase just like I
reported.  I can reproduce this easily.

Robert Johnson

On Tue, May 30, 2017 at 1:10 PM, Alexander Bokovoy <>

> On ti, 30 touko 2017, Robert Johnson via FreeIPA-users wrote:
>> Red Hat Enterprise Linux Server release 7.3
>> ipa-server-4.4.0-14.el7_3.4.x86_64
>> 389-ds-base-
>> sssd-1.14.0-43.el7_3.11.x86_64
>> When looking at entries in the "cn=groups,cn=compat" tree, I noticed that
>> the entries for windows groups have the realm portion of the group name in
>> all caps.  This is true for the comment, the dn and the cn.
>> example:
>> # domain, groups, compat,
>> dn: cn=domain
>> ,cn=groups,cn=compat,dc=ipa,dc=mydomain,dc=com
>> memberUid:
>> cn: domain
>> When I look at the entries in the "cn=users,cn=compat" tree, the realm
>> portion of the user name is all lower case.  Incidentally, these same user
>> names are also all lowercase in the "memberUid" option on the groups
>> above.
>> example:
>> #, users, compat,
>> dn:,cn=users,cn=compat,dc=ipa,dc=myd
>> omain,dc=com
>> homeDirectory: /home/
>> uid:
>> Was this by design ?
> Users and groups for AD users are inserted into the compat tree on
> demand, when a request comes mentioning them via LDAP query. The name is
> taken from the LDAP query.
> So it is your application(s) that are asking fully qualified user/group
> names with domain part capitalized.
> The reason I ask, is that when I try to use the "kinit" feature on our
>> Solaris 10 systems (which is joined to the IPA domain) for this windows
>> user, I get an error.
>> [~]$ kinit
>> Password for
>> kinit(v5): KDC reply did not match expectations while getting initial
>> credentials
>> If I run it like this:
>> [~]$ kinit
>> Password for
>> [~]$ klist
>> Ticket cache: FILE:/tmp/krb5cc_1683378846
>> Default principal:
>> Valid starting                Expires                Service principal
>> 05/30/17 11:44:35  05/30/17 21:44:40  krbtgt/
>>        renew until 06/06/17 11:44:35
>> I believe this is due to the fact that the Solaris 10 system is using the
>> lowercase entry in the compat tree above.  Here is the result of the ID
>> command on this user:
>> [~]$ id
>> uid=1683378846( gid=1683378846(
>> I know this is a work around but I would prefer to make this easier on the
>> end users.  Any suggestions ?
> You mix up Kerberos principals and user identities. They are different.
> In Kerberos protocol realm is case-sensitive. WIN.MYDOMAIN.COM is not
> the same realm as On Active Directory side this is
> hidden behind the Windows UI facade but on UNIX systems Kerberos
> libraries aren't hiding this fact.
> That's why you get "KDC reply did not match expectations .." error
> message -- a realm name is used as part of Kerberos exchange and it is
> expected to be all upper cases.
> On identity front you have probably configured your Solaris systems to
> look up identities with upper cased fqdn and compat tree plugin inserts
> those as it is. I certainly don't see this behavior with other systems.
> --
> / Alexander Bokovoy
FreeIPA-users mailing list --
To unsubscribe send an email to

Reply via email to