On to, 06 heinä 2017, Robert Sturrock via FreeIPA-users wrote:
Hi All,
We have IPA running in a one-way trust with our AD and it’s working well.
However, there are a number of users who belong to an affiliated institution
who are nonetheless present in our AD, but with a different UPN suffix to the
trust domains. The particulars are:
IPA realm: IPA.LOCALDOMAIN
AD realms: STAFF.LOCALDOMAIN, STUDENT.LOCALDOMAIN
Regular users typically have a UPN of ‘firstname.lastname@staff.localdomain’
The affiliated users have a UPN of ‘firstname.lastname@affiliate'
The trust relationship looks like this on the IPA server:
# ipa trustdomain-find
Realm name: STAFF.LOCALDOMAIN
Domain name: staff.localdomain
Domain NetBIOS name: STAFF
Domain Security Identifier: S-1-5-21-2593845812-3993450118-3195856661
Domain enabled: True
Domain name: student.localdomain
Domain NetBIOS name: STUDENT
Domain Security Identifier: S-1-5-21-3906414162-3274047707-1428844997
Domain enabled: True
----------------------------
Number of entries returned 2
——————————————
We have a test IPA server with HBAC allow_all and we can ssh to it reliably as
a regular user, but when we try to ssh as ‘first name.lastname@affiliate’ we
see the following exceptions in /var/log/sssd/krb5_child.log:
(Thu Jul 6 15:58:31 2017) [[sssd[krb5_child[46117]]]] [get_and_save_tgt]
(0x0400): Attempting kinit for realm [IPA.LOCALDOMAIN]
(Thu Jul 6 15:58:31 2017) [[sssd[krb5_child[46117]]]] [get_and_save_tgt]
(0x0020): 1296: [-1765328378][Client
'firstname.lastname\@AFFILIATE@IPA.LOCALDOMAIN' not found in Kerberos database]
(Thu Jul 6 15:58:31 2017) [[sssd[krb5_child[46117]]]] [map_krb5_error]
(0x0020): 1365: [-1765328378][Client
'firstname.lastname\@AFFILIATE@IPA.LOCALDOMAIN' not found in Kerberos database]
(Thu Jul 6 15:58:31 2017) [[sssd[krb5_child[46117]]]] [k5c_send_data]
(0x0200): Received error code 1432158209
(Thu Jul 6 15:58:31 2017) [[sssd[krb5_child[46117]]]] [main] (0x0400):
krb5_child completed successfully
(The test environment is RHEL7.3, running ipa-server-4.4.0-14.el7_3.7.x86_64
and associated packages).
Is this version of IPA able to support trust users with a different UPN suffix,
and if so, what special configuration is required to achieve this?
Can you show 'ipa trust-show staff.localdomain'? It should have list of
additional name suffixes we derive from the AD forest trust. After
releasing 4.4.x we found out that there are some deployments where
people modify userPrincipalName directly in AD LDAP and thus these name
suffixes aren't visible through the trust topology discovery requests.
In 4.5.x I added a way to expand that information manually with 'ipa
trust-mod'. You can do that yourself with an LDAP modify of the trust
object for ipantadditionalsuffixes attribute.
--
/ Alexander Bokovoy
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
