> The reason is that rpcidmapd` does not parse fully-qualified usernames > so"adt...@ad.example.org@IPA.EXAMPLE.ORG" does not work.
If someone can educate me as to why there are two @ signs in the above, I can fix the wiki page (http://www.freeipa.org/page/Collaboration_with_Kerberos#Mechanism_1:_Kerberos_cross-realm_trusts) I know about individual cross-realm principals, adtest/ad.example....@ipa.example.org And I know about cross-realm trust principals: krbtgt/ad.example....@ipa.example.org But I was under the impression that if a user traversed a trust, their client principal name would still be adt...@ad.example.org . I am not aware of any circumstances which would produce a client principal with two "@" signs in it. Pls fix my ignorance. Thanks, Bryce This electronic message contains information generated by the USDA solely for the intended recipients. Any unauthorized interception of this message or the use or disclosure of the information it contains may violate the law and subject the violator to civil or criminal penalties. If you believe you have received this message in error, please notify the sender and delete the email immediately. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project