On Thu, Jul 06, 2017 at 09:55:46AM +0200, Ronald Wimmer wrote:
> On 2017-07-06 08:25, Robert Sturrock via FreeIPA-users wrote:
> > [...]
> > We have a test IPA server with HBAC allow_all and we can ssh to it reliably 
> > as a regular user, but when we try to ssh as ‘first 
> > name.lastname@affiliate’ we see the following exceptions in 
> > /var/log/sssd/krb5_child.log:
> > [...]
> 
> I had a very similar problem in my environment. I had to add the UPN suffix
> manually and there is a bug in SSSD related to this:
> https://bugzilla.redhat.com/show_bug.cgi?id=1441077

This might causes issues later but currently, according to Alexander's
analysis, the UPN suffixes are missing on the server because they are
not announced by AD.

bye,
Sumit

> 
> This bug might affect you. Sumit Bose would know for sure if it does.
> 
> Regards,
> Ronald Wimmer
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to