Hi all,
I have lab environment with IPA server and trust to Active directory.
IPA server is in a.example.com.
AD DC is in example.com.
We have also child AD subdomain ext.examle.com.
Everything is fine until the users in AD domain ext.example.com gets the UPN
suffix of the root AD domain - example.com - which is pretty common scenario.
Example:
user at ext.examaple.com is set in AD with UPN user at example.com
In this situation I am not able to login into my linux box with user at
example.com
I have seen some open tickets on this issue 3559 and others, and they are
marked as fixed in IPA 4.2 ... but I not sure if its already fixed in current
packages.
Currently I am testing on RHEL7 with ipa-server-4.2.0-15.el7_2.6.1.x86_64 and
the same situation is on Fedora 23 with freeipa-server-4.2.4-1.fc23.x86_64.
I have default settings - no changes in krb5.conf and sssd.conf after ipa
trust-add.
Also I have found the workaround to set in krb5.conf (see topic: Cannot find
KDC for realm "MYDOMAIN.NET" - AD trust and UPN issues in RH archive ) - add
another realm just with EXT.EXAMPLE.COM = { kdc = ad.ext.example.com:88 } - but
no effect.
Could you please confirm, that its possible to use IPA with different UPN
suffix for users in AD than the domain name in which they are exists ? Is there
any additional configuration needed to fix this scenario ?
Regards,
Jan
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
