On 2017-04-06 20:50, Sumit Bose wrote:
On Thu, Apr 06, 2017 at 01:55:02PM +0200, Ronald Wimmer wrote:
On 2017-04-06 12:16, Sumit Bose wrote:
On Thu, Apr 06, 2017 at 12:58:32PM +0200, Ronald Wimmer wrote:
[...]
AD trust:
mydomain.at (forest root)
xyz (subdomain -> where myuser resides)

BCC (appearing in krb5_child.log) is not a domain here. It is my company's
name and might derive from some information in the AD.
Yes, it is about the userPrincipalName attribute read from AD. Which IPA
server version do you use? Since RHEL-7.3 IPA supports those principals
coming from AD. For older versions you should add a workaround which is
e.g. described at the end of
https://www.redhat.com/archives/freeipa-users/2016-November/msg00069.html

HTH

bye,
Sumit

I am using an up-to-date RHEL 7.3 IPA master. Is there no possibility to
override it?

Please check on the server with

    ipa trust-find

if the BCC domain is listed as 'UPN suffixes:'. If not please try

    ipa trust-fetch-domains

and check again. If the domain is listed then a 7.3 IPA client should be
able to detect it automatically on older clients you should set
'krb5_use_enterprise_principal = True' manually in sssd.conf.

I just checked with our AD guys. ipa trust-find only shows five UPN suffixes. There are many more which are not shown inlcuding bcc.mydomain.at

Any idea why only a subset is shown?

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to