On Thu, Apr 06, 2017 at 12:58:32PM +0200, Ronald Wimmer wrote: > On 2017-04-06 11:21, Sumit Bose wrote: > > On Thu, Apr 06, 2017 at 12:10:29PM +0200, Ronald Wimmer wrote: > > > Hi, > > > > > > when I try to login to an IPA client with my AD user it works perfectly > > > when > > > I already have a kerberos ticket for my user. When I do not and I try a > > > password-based login it fails: > > Please send the sssd_domain.log and krb5_child.log form the same time as > > well. > > > > AD trust: > mydomain.at (forest root) > xyz (subdomain -> where myuser resides) > > BCC (appearing in krb5_child.log) is not a domain here. It is my company's > name and might derive from some information in the AD.
Yes, it is about the userPrincipalName attribute read from AD. Which IPA server version do you use? Since RHEL-7.3 IPA supports those principals coming from AD. For older versions you should add a workaround which is e.g. described at the end of https://www.redhat.com/archives/freeipa-users/2016-November/msg00069.html HTH bye, Sumit -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project