Hi, 

I can configrm that UPN issue is fixed in RHEL 7.3. That is great, thank you a 
lot. 
It looks like solution came with sssd 1.14.x right ? Anybody knows if there are 
plans to implement it into RHEL 6.x (ipa-client) ? Currently my ipa-clients on 
RHEL 6.8 (sssd 1.13.3.-22) are not able to handle that. 

Thanks, 
Jan 


---------------------------------------------------------------------- 

From: "Jan Karásek" <jan.kara...@elostech.cz> 
To: freeipa-users@redhat.com 
Sent: Tuesday, May 10, 2016 4:44:14 PM 
Subject: AD trust and UPN issue 

Hi, 

thank you for the answer. I have already tried that workaround and still no 
luck. At the moment this is showstopper for us on two different projects at two 
different customers. 
Any chance to get it patch before 7.3 arrives ? 

Thanks, 
Jan 
---------------------------------------------------------------------- 


Date: Tue, 10 May 2016 14:38:01 +0200 
From: Jakub Hrozek <jhro...@redhat.com> 
To: freeipa-users@redhat.com 
Subject: Re: [Freeipa-users] Fwd: AD trust and UPN issue 
Message-ID: <20160510123801.GE4011@hendrix> 
Content-Type: text/plain; charset=iso-8859-1 

On Tue, May 10, 2016 at 02:17:07PM +0200, Jan Kar?sek wrote: 
> Hi all, 
> I have lab environment with IPA server and trust to Active directory. 
> IPA server is in a.example.com. 
> AD DC is in example.com. 
> We have also child AD subdomain ext.examle.com. 
> Everything is fine until the users in AD domain ext.example.com gets the UPN 
> suffix of the root AD domain - example.com - which is pretty common scenario. 
> Example: 
> user at ext.examaple.com is set in AD with UPN user at example.com 
> 
> In this situation I am not able to login into my linux box with user at 
> example.com 
> I have seen some open tickets on this issue 3559 and others, and they are 
> marked as fixed in IPA 4.2 ... but I not sure if its already fixed in current 
> packages. 
> Currently I am testing on RHEL7 with ipa-server-4.2.0-15.el7_2.6.1.x86_64 and 
> the same situation is on Fedora 23 with freeipa-server-4.2.4-1.fc23.x86_64. 
> I have default settings - no changes in krb5.conf and sssd.conf after ipa 
> trust-add. 
> Also I have found the workaround to set in krb5.conf (see topic: Cannot find 
> KDC for realm "MYDOMAIN.NET" - AD trust and UPN issues in RH archive ) - add 
> another realm just with EXT.EXAMPLE.COM = { kdc = ad.ext.example.com:88 } - 
> but no effect. 
> Could you please confirm, that its possible to use IPA with different UPN 
> suffix for users in AD than the domain name in which they are exists ? Is 
> there any additional configuration needed to fix this scenario ? 

In general no, not until 7.3. But it might work with a workaround. Can 
you try setting: 
ldap_user_principal = nosuchattr 
subdomain_inherit = ldap_user_principal 
in sssd.conf's domain section on the server? (Yes, server, not client..) 

This should work without the workaround starting with 7.3.. 

Jan K 


----- Original Message ----- 
From: "freeipa-users-request" <freeipa-users-requ...@redhat.com> 
To: freeipa-users@redhat.com 
Sent: Tuesday, May 10, 2016 4:23:56 PM 
Subject: Freeipa-users Digest, Vol 94, Issue 63 

---------------------------------------------------------------------- 


Date: Tue, 10 May 2016 14:38:01 +0200 
From: Jakub Hrozek <jhro...@redhat.com> 
To: freeipa-users@redhat.com 
Subject: Re: [Freeipa-users] Fwd: AD trust and UPN issue 
Message-ID: <20160510123801.GE4011@hendrix> 
Content-Type: text/plain; charset=iso-8859-1 

On Tue, May 10, 2016 at 02:17:07PM +0200, Jan Kar?sek wrote: 
> Hi all, 
> I have lab environment with IPA server and trust to Active directory. 
> IPA server is in a.example.com. 
> AD DC is in example.com. 
> We have also child AD subdomain ext.examle.com. 
> Everything is fine until the users in AD domain ext.example.com gets the UPN 
> suffix of the root AD domain - example.com - which is pretty common scenario. 
> Example: 
> user at ext.examaple.com is set in AD with UPN user at example.com 
> 
> In this situation I am not able to login into my linux box with user at 
> example.com 
> I have seen some open tickets on this issue 3559 and others, and they are 
> marked as fixed in IPA 4.2 ... but I not sure if its already fixed in current 
> packages. 
> Currently I am testing on RHEL7 with ipa-server-4.2.0-15.el7_2.6.1.x86_64 and 
> the same situation is on Fedora 23 with freeipa-server-4.2.4-1.fc23.x86_64. 
> I have default settings - no changes in krb5.conf and sssd.conf after ipa 
> trust-add. 
> Also I have found the workaround to set in krb5.conf (see topic: Cannot find 
> KDC for realm "MYDOMAIN.NET" - AD trust and UPN issues in RH archive ) - add 
> another realm just with EXT.EXAMPLE.COM = { kdc = ad.ext.example.com:88 } - 
> but no effect. 
> Could you please confirm, that its possible to use IPA with different UPN 
> suffix for users in AD than the domain name in which they are exists ? Is 
> there any additional configuration needed to fix this scenario ? 

In general no, not until 7.3. But it might work with a workaround. Can 
you try setting: 
ldap_user_principal = nosuchattr 
subdomain_inherit = ldap_user_principal 
in sssd.conf's domain section on the server? (Yes, server, not client..) 

This should work without the workaround starting with 7.3.. 
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to