Confirmed that adding the following to /etc/sssd/ssd.conf on the SERVER fixed SSH password checks on the server itself!


ldap_user_principal = nosuchattr
subdomain_inherit = ldap_user_principal

The core problem does appear to be the "... UPN is quite different" error when we try to login as u...@nafta.company.org which then gets shortened to u...@company.org. It's hard to read the volume of debug_level 10 logs but it's clear that it's getting hung up with principals when talking to the remote AD servers.

I can now login to the IPA server with my standard AD credentials which has been impossible until just now.

However no luck on IPA clients. Can you confirm that the above sssd.conf workaround is for the IPA server only as the thread you linked to indicates or is this a change I should push down to clients? I'm going to build some fresh clients just in case.

And knowing that this workaround seems to be getting close to totally resolving our issue would you recommend IPA-4.4 for our environment where we have lots of AD trusts in play combined with DNS-DOMAIN differences between the IPA realm and the managed clients? Or is it better to stick with the workaround settings + the IPA-4.2 release that comes with CentOS/RHEL-7?

Thanks!

Chris


Sumit Bose wrote:
Both authentications where successful against the backend. For the logs
it looks like you use an alternative domain suffix on the AD side so
that all user if other domains in the forest can use the forest root
suffix as realm, in the user principal (u...@nafta.company.org  ->
u...@company.org).

I would expect that there are messages like "UPN used in the request
...differ by more than just the case." in the domain log at 'TueDec  6
19:57:11'  and 'TueDec  6 19:57:14'.

If that's the case updating to4.4  would help because in this release
IPA can forward the enterprise principals properly and SSSD will not
reject the changed principal because sSSD will be aware of the change.

But there are workarounds to make it work with your version as well,
please see e.g. the suggestion from
https://www.redhat.com/archives/freeipa-users/2016-May/msg00205.html  .

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
  • ... List dedicated to discussions about use, configuration and deployment of the IPA server.
    • ... List dedicated to discussions about use, configuration and deployment of the IPA server.
      • ... List dedicated to discussions about use, configuration and deployment of the IPA server.
        • ... Sumit Bose
          • ... Chris Dagdigian
          • ... Chris Dagdigian
          • ... Chris Dagdigian
            • ... Sumit Bose
              • ... Chris Dagdigian
                • ... Sumit Bose
                • ... Chris Dagdigian
                • ... Sumit Bose

Reply via email to