[Freeipa-users] Re: IPA and legacy systems

Tue, 26 May 2020 08:07:52 -0700 

On 13.05.20 15:08, Sumit Bose via FreeIPA-users wrote:

On Wed, Apr 08, 2020 at 07:45:35AM +0200, Ronald Wimmer via FreeIPA-users wrote:

On Tue, Jan 29, 2019 at 11:19:22AM +0100, Ronald Wimmer via
FreeIPA-users wrote:
... 
<https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/WV4DGJV66P3YPQLLO7FV3BMFXMW7B7JJ/#>
Since you redirected MYDOMAIN.AT to the IPA server in krb5.conf the
client cannot properly send the UPN to an AD DC. You can disable UPN
handling by setting 'ldap_user_principal = noSuchAttr' in the domain
section of sssd.conf on the IPA servers. You have to wait until the SSSD
cache on the server and the client are updated before the client would
start using employeeNumber(a)a.mydomain.at. But I wonder if the
redirection to the IPA server is needed in krb5.conf at all ...
... 
<https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/WV4DGJV66P3YPQLLO7FV3BMFXMW7B7JJ/#>
If you replace this line with   .mydomain.at = LINUX.MYDOMAIN.AT I would
expect that libkrb5 will use the LINUX.MYDOMAIN.AT realm whenever there
is a DNS hostname from .mydomain.at is used. This way it should be
possible to add AD DCs to the MYDOMAIN.AT section so that request which
contain the realm explicitly like &#39;ronald.wimmer(a)MYDOMAIN.AT&#39;
would be send to an AD DCs.


Unfortunately, setting ldap_user_principal to NoSuchAttr was not enough in
order to make AD user login work. What else could I try? Which logs are
relevant here?


Hi,

thanks for you patience. Can you send the SSSD domain and krb5_child.log
with debug_level=9 in the [domain/...] section to understand why using
'ldap_user_principal = noSuchAttr' on the IPA servers does not help?



When I set ldap_user_principal to noSuchAttr on an IPA server and do a 
"id myusername" it seems I am waiting forever. Would realm mapping in 
krb5.conf be sufficient in an IPA client's krb5.conf file or would i 
have to do that on an IPA server as well?


Cheers,
Ronald
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org






















					Reply via email to