On Thu, 2014-06-26 at 22:02 +0000, Nordgren, Bryce L -FS wrote: > > The reason is that rpcidmapd` does not parse fully-qualified usernames > > so"adt...@ad.example.org@IPA.EXAMPLE.ORG" does not work. > > If someone can educate me as to why there are two @ signs in the above, I can > fix the wiki page > (http://www.freeipa.org/page/Collaboration_with_Kerberos#Mechanism_1:_Kerberos_cross-realm_trusts) > > I know about individual cross-realm principals, > > adtest/ad.example....@ipa.example.org > > And I know about cross-realm trust principals: > > krbtgt/ad.example....@ipa.example.org > > But I was under the impression that if a user traversed a trust, their client > principal name would still be adt...@ad.example.org . I am not aware of any > circumstances which would produce a client principal with two "@" signs in > it. Pls fix my ignorance.
The second @ is not provided by kerberos, it is rpcimapd making false assumptions, it does a getpwuid and gets back adt...@ad.example.org as the username, to which it decides to slap on the local REALM name with an @ sign in between. I think this is something that may be handled with imapd.conf configuration. Simo. -- Simo Sorce * Red Hat, Inc * New York -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project