We are successfully running a FreeIPA setup connected to an AD using kerberos to authenticate. (IPA is used as provider). Our windows domain name is not identical to our main mail domain. For some users the User logon name in windows (the one with @ not the old pre-win2000 one) is using a domain name which has no kerberos servers etc. In windows authentication works perfectly, but in our IPA setup we run into a big issue.
No matter which domain the user chooses to authenticate against our linux servers, the linux server tries to authenticate against the kerberos servers of the domain which has no servers. In the krb5.conf we manually configured the kerberos servers of the windows AD for this domain. Now we get [Realm not local to KDC] in the krb5_child.log. Is there any way to forcefully replace the domain name when authenticating? We tried using auth_to_local without success so far. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
