Spent some time on this one...
Some users can login SSO no problem, others have to put in their password.
Strange as it seems, if the length of the username was greater than 4, the
So email@example.com works, but firstname.lastname@example.org doesn't.
My guess is something to do with the NetBios name length?
Fedora 20 IPA Server
CentOS 6.5 IPA Client
Win 2012 AD Domain Server
Setup as IPA as a subdomain of AD.
AD Domain: test.local
IPA Domain: hosted.test.local
Freeipa-users mailing list