On Thu, Jun 25, 2015 at 01:06:22PM +0200, Giorgio Biacchi wrote:
> On 06/25/2015 12:56 PM, Sumit Bose wrote:
> > On Thu, Jun 25, 2015 at 12:22:16PM +0200, Giorgio Biacchi wrote:
> >> On 06/24/2015 06:45 PM, Sumit Bose wrote:
> >>> On Wed, Jun 24, 2015 at 05:11:07PM +0200, Giorgio Biacchi wrote:
> >>>> Hi everybody,
> >>>> I established a bidirectional trust between an IPA server (version 4.1.0
> >>>> on
> >>>> CentOS 7.1), ipa.mydomain.local and an AD (Windows 2012 r2),
> >>>> mydomain.local.
> >>>> Everything is working fine, and I'm able to authenticate and logon on a
> >>>> linux
> >>>> host joined to IPA server using AD credentials (email@example.com).
> >>>> But active directory is configured with two more UPN suffixes
> >>>> (otherdomain.com
> >>>> and sub.otherdomain.com), and I cannot logon with credentials using
> >>>> alternative
> >>>> UPN (example: john....@otherdomain.com).
> >>>> How can I make this possible? Another trust (ipa trust-add) with the
> >>>> same AD?
> >>>> Manual configuration of krb5 and/or sssd?
> >>> Have you tried to login to an IPA client or the server? Please try with
> >>> an IPA server first. If this does not work it would be nice if you can
> >>> send the SSSD log files from the IPA server which are generated during
> >>> the logon attempt. Please call 'sss_cache -E' before to invalidate all
> >>> cached entries so that the logs will contain all needed calls to AD.
> >>> Using UPN suffixes were added to the AD provider some time ago and the
> >>> code is available in the IPA provider as well, but I guess no one has
> >>> actually tried this before.
> >>> bye,
> >>> Sumit
> >> First of all let me say that i feel like I'm missing some config
> >> somewhere..
> >> Changes tried in krb5.conf to support UPN suffixes didn't helped.
> >> I can only access the server vi ssh so I've attached the logs for a
> >> successful
> >> login for firstname.lastname@example.org and an unsuccessful login for
> >> accou...@otherdomain.com done via ssh.
> >> Bye and thanks for your help
> > It looks like the request is not properly propagated to sub-domains (the
> > trusted AD domain) but only send to the IPA domain.
> > Would it be possible for you to run a test build of SSSD which might fix
> > this? If yes, which version of SSSD are you currently using? Then I can
> > prepare a test build with the patch on top of this version.
> > bye,
> > Sumit
> I'm using sssd 1.12.2 (sssd --version) on CentOS 7.1.1503 and I'm available
> any test.
> Here's the packages version for sssd:
Please try the packages at
> Thanks again
> PGP Key: http://pgp.mit.edu/
> Primary key fingerprint: C510 0765 943E EBED A4F2 69D3 16CC DC90 B9CB 0F34
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project