On Wed, Feb 17, 2016 at 09:13:00AM +0100, Sumit Bose wrote:
> On Tue, Feb 16, 2016 at 10:23:30PM +0000, Nathan Peters wrote:
> > I have created a trust between my FreeIPA domain and an active directory
> > domain. I can get a kerberos ticket properly from the other domain at the
> > command line on the IPA server.
> > I have also created sudo and HBAC rules to allow my AD users to logon to
> > the IPA domain controller using the recommended nested external group setup.
> > However, I can not actually login to the machines.
> > I should note that our AD domain is office.mydomain.net, but we use
> > alternative UPN suffixes so the usernames are u...@mydomain.net.
> > I read the patch notes and apparently support for client referrals that
> > will allow alternate UPN suffixes in trusted domains was added in FreeIPA
> > 4.2.1.
> While client referrals with the realm derived from the domain name
> already work the UPN support is currently WIP
Several users have reported that a workaround of:
subdomain_inherit = ldap_user_principal
ldap_user_principal = phonyattr
solves their issue, but it's just a workaround, not a real solution..
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project