On Tue, May 10, 2016 at 02:17:07PM +0200, Jan Karásek wrote: > Hi all, > I have lab environment with IPA server and trust to Active directory. > IPA server is in a.example.com. > AD DC is in example.com. > We have also child AD subdomain ext.examle.com. > Everything is fine until the users in AD domain ext.example.com gets the UPN > suffix of the root AD domain - example.com - which is pretty common scenario. > Example: > user at ext.examaple.com is set in AD with UPN user at example.com > > In this situation I am not able to login into my linux box with user at > example.com > I have seen some open tickets on this issue 3559 and others, and they are > marked as fixed in IPA 4.2 ... but I not sure if its already fixed in current > packages. > Currently I am testing on RHEL7 with ipa-server-4.2.0-15.el7_2.6.1.x86_64 and > the same situation is on Fedora 23 with freeipa-server-4.2.4-1.fc23.x86_64. > I have default settings - no changes in krb5.conf and sssd.conf after ipa > trust-add. > Also I have found the workaround to set in krb5.conf (see topic: Cannot find > KDC for realm "MYDOMAIN.NET" - AD trust and UPN issues in RH archive ) - add > another realm just with EXT.EXAMPLE.COM = { kdc = ad.ext.example.com:88 } - > but no effect. > Could you please confirm, that its possible to use IPA with different UPN > suffix for users in AD than the domain name in which they are exists ? Is > there any additional configuration needed to fix this scenario ?
In general no, not until 7.3. But it might work with a workaround. Can you try setting: ldap_user_principal = nosuchattr subdomain_inherit = ldap_user_principal in sssd.conf's domain section on the server? (Yes, server, not client..) This should work without the workaround starting with 7.3.. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project