On Thu, 2014-06-26 at 22:02 +0000, Nordgren, Bryce L -FS wrote:
> > The reason is that rpcidmapd` does not parse fully-qualified usernames
> > so"adt...@ad.example.org@IPA.EXAMPLE.ORG" does not work.
> 
> If someone can educate me as to why there are two @ signs in the above, I can 
> fix the wiki page 
> (http://www.freeipa.org/page/Collaboration_with_Kerberos#Mechanism_1:_Kerberos_cross-realm_trusts)
> 
> I know about individual cross-realm principals,
> 
> adtest/ad.example....@ipa.example.org
> 
> And I know about cross-realm trust principals:
> 
> krbtgt/ad.example....@ipa.example.org
> 
> But I was under the impression that if a user traversed a trust, their client 
> principal name would still be adt...@ad.example.org . I am not aware of any 
> circumstances which would produce a client principal with two "@" signs in 
> it. Pls fix my ignorance.

The second @ is not provided by kerberos, it is rpcimapd making false
assumptions, it does a getpwuid and gets back adt...@ad.example.org as
the username, to which it decides to slap on the local REALM name with
an @ sign in between.

I think this is something that may be handled with imapd.conf
configuration.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to