On to, 06 heinä 2017, Robert Sturrock via FreeIPA-users wrote:
Hi All,

We have IPA running in a one-way trust with our AD and it’s working well.  
However, there are a number of users who belong to an affiliated institution 
who are nonetheless present in our AD, but with a different UPN suffix to the 
trust domains.  The particulars are:


 Regular users typically have a UPN of ‘firstname.lastname@staff.localdomain’
 The affiliated users have a UPN of ‘firstname.lastname@affiliate'

The trust relationship looks like this on the IPA server:

# ipa trustdomain-find
 Domain name: staff.localdomain
 Domain NetBIOS name: STAFF
 Domain Security Identifier: S-1-5-21-2593845812-3993450118-3195856661
 Domain enabled: True

 Domain name: student.localdomain
 Domain NetBIOS name: STUDENT
 Domain Security Identifier: S-1-5-21-3906414162-3274047707-1428844997
 Domain enabled: True
Number of entries returned 2

We have a test IPA server with HBAC allow_all and we can ssh to it reliably as 
a regular user, but when we try to ssh as ‘first name.lastname@affiliate’ we 
see the following exceptions in /var/log/sssd/krb5_child.log:

(Thu Jul  6 15:58:31 2017) [[sssd[krb5_child[46117]]]] [get_and_save_tgt] 
(0x0400): Attempting kinit for realm [IPA.LOCALDOMAIN]
(Thu Jul  6 15:58:31 2017) [[sssd[krb5_child[46117]]]] [get_and_save_tgt] 
(0x0020): 1296: [-1765328378][Client 
'firstname.lastname\@AFFILIATE@IPA.LOCALDOMAIN' not found in Kerberos database]
(Thu Jul  6 15:58:31 2017) [[sssd[krb5_child[46117]]]] [map_krb5_error] 
(0x0020): 1365: [-1765328378][Client 
'firstname.lastname\@AFFILIATE@IPA.LOCALDOMAIN' not found in Kerberos database]
(Thu Jul  6 15:58:31 2017) [[sssd[krb5_child[46117]]]] [k5c_send_data] 
(0x0200): Received error code 1432158209
(Thu Jul  6 15:58:31 2017) [[sssd[krb5_child[46117]]]] [main] (0x0400): 
krb5_child completed successfully

(The test environment is RHEL7.3, running ipa-server-4.4.0-14.el7_3.7.x86_64 
and associated packages).

Is this version of IPA able to support trust users with a different UPN suffix, 
and if so, what special configuration is required to achieve this?
Can you show 'ipa trust-show staff.localdomain'? It should have list of
additional name suffixes we derive from the AD forest trust. After
releasing 4.4.x we found out that there are some deployments where
people modify userPrincipalName directly in AD LDAP and thus these name
suffixes aren't visible through the trust topology discovery requests.

In 4.5.x I added a way to expand that information manually with 'ipa
trust-mod'. You can do that yourself with an LDAP modify of the trust
object for ipantadditionalsuffixes attribute.

/ Alexander Bokovoy
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to