On Thu, Jul 23, 2020 at 11:51:41AM -0000, Sam Morris via FreeIPA-users wrote: > I have a FreeIPA setup that trusts an Active Directory domain. I have users > who exist in the AD domain, but who are unable to log into Linux systems. > > The domains are: > > ad.domain.examaple: the Active Directory domain > > ipa.ad.domain.example: the FreeIPA domain > > The user has a SAM-Account-Name of 'user.name' and a userPrincipalName of > '[email protected]'.
Hi, which version of IPA are you using? Is 'thirdparty.com' listed among the 'UPN suffixes' in the 'ipa trust-find' output? bye, Sumit > > Here are the log messages I see when one of them tries to log in: > > ==> krb5_child.log <== > (Thu Jul 23 11:08:58 2020) [[sssd[krb5_child[2481132]]]] > [get_and_save_tgt] (0x0020): 1704: [-1765328378][Client > 'user.name\@[email protected]' not found in Kerberos > database] > (Thu Jul 23 11:08:58 2020) [[sssd[krb5_child[2481132]]]] > [map_krb5_error] (0x0020): 1833: [-1765328378][Client > 'user.name\@[email protected]' not found in Kerberos > database] > > ==> sssd_ipa.ad.domain.example.log <== > (Thu Jul 23 11:08:58 2020) [sssd[be[ipa.ad.domain.example]]] > [krb5_auth_done] (0x0040): The krb5_child process returned an error. Please > inspect the krb5_child.log file or the journal for more information > > A bit of research brings me to > <https://docs.microsoft.com/en-us/windows/win32/ad/naming-properties> which > states: > > A UPN suffix has the following restrictions: > > It must be the DNS name of a domain, but does not need to be the name of > the domain that contains the user. > > It must be the name of a domain in the current domain forest, or an > alternate name listed in the upnSuffixes attribute of the Partitions > container > within the Configuration container. > > I believe the user account violates the second of these restrictions, in that > its suffix (thirdparty.com) is neither in the AD forest, nor is it found in > the > upnSuffixes attribute of > CN=Partitions,CN=Configuration,DC=ad,DC=domain,DC=example in AD. > > Now the ugly part. I suspect this is just How Things Are Done around here and > getting the user's userPrincipalName changed to ad.domain.example will not be > particularly easy. > > So in the meantime, is there any configuration I can do, either on the FreeIPA > servers or on the machine where the user needs to log in, to work around the > UPN suffix mismatch? > > I am able to get a TGT for the user with 'kinit [email protected]', > so I guess I'm looking for a hypothetical way to tell sssd to map the UPN > suffix in the user's domain (thirdparty.com) to ad.domain.example when it > tries > to get a ticket during user login... > > I can also ask to get thirdparty.com added to the AD domain's list of UPN > suffixes. Can anyone confirm whether this would be sufficient to get sssd to > be > able to authenticate the user? > > Thanks! > > -- > Sam Morris <https://robots.org.uk/> > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
