On Wed, Feb 17, 2016 at 09:13:00AM +0100, Sumit Bose wrote:
> On Tue, Feb 16, 2016 at 10:23:30PM +0000, Nathan Peters wrote:
> > I have created a trust between my FreeIPA domain and an active directory 
> > domain.  I can get a kerberos ticket properly from the other domain at the 
> > command line on the IPA server.
> > I have also created sudo and HBAC rules to allow my AD users to logon to 
> > the IPA domain controller using the recommended nested external group setup.
> > However, I can not actually login to the machines.
> > 
> > I should note that our AD domain is office.mydomain.net, but we use 
> > alternative UPN suffixes so the usernames are u...@mydomain.net.
> > 
> > I read the patch notes and apparently support for client referrals that 
> > will allow alternate UPN suffixes in trusted domains was added in FreeIPA 
> > 4.2.1.
> 
> While client referrals with the realm derived from the domain name
> already work the UPN support is currently WIP
> (https://fedorahosted.org/freeipa/ticket/5354).

Several users have reported that a workaround of:
    subdomain_inherit = ldap_user_principal
    ldap_user_principal = phonyattr
solves their issue, but it's just a workaround, not a real solution..

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to