Hi all, 
I have lab environment with IPA server and trust to Active directory. 
IPA server is in a.example.com. 
AD DC is in example.com. 
We have also child AD subdomain ext.examle.com. 
Everything is fine until the users in AD domain ext.example.com gets the UPN 
suffix of the root AD domain - example.com - which is pretty common scenario. 
user at ext.examaple.com is set in AD with UPN user at example.com 

In this situation I am not able to login into my linux box with user at 
I have seen some open tickets on this issue 3559 and others, and they are 
marked as fixed in IPA 4.2 ... but I not sure if its already fixed in current 
Currently I am testing on RHEL7 with ipa-server-4.2.0-15.el7_2.6.1.x86_64 and 
the same situation is on Fedora 23 with freeipa-server-4.2.4-1.fc23.x86_64. 
I have default settings - no changes in krb5.conf and sssd.conf after ipa 
Also I have found the workaround to set in krb5.conf (see topic: Cannot find 
KDC for realm "MYDOMAIN.NET" - AD trust and UPN issues in RH archive ) - add 
another realm just with EXT.EXAMPLE.COM = { kdc = ad.ext.example.com:88 } - but 
no effect. 
Could you please confirm, that its possible to use IPA with different UPN 
suffix for users in AD than the domain name in which they are exists ? Is there 
any additional configuration needed to fix this scenario ? 


Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to