On 2017-04-06 20:50, Sumit Bose wrote:
On Thu, Apr 06, 2017 at 01:55:02PM +0200, Ronald Wimmer wrote:
On 2017-04-06 12:16, Sumit Bose wrote:
On Thu, Apr 06, 2017 at 12:58:32PM +0200, Ronald Wimmer wrote:
[...]
AD trust:
mydomain.at (forest root)
xyz (subdomain -> where myuser resides)
BCC (appearing in krb5_child.log) is not a domain here. It is my company's
name and might derive from some information in the AD.
Yes, it is about the userPrincipalName attribute read from AD. Which IPA
server version do you use? Since RHEL-7.3 IPA supports those principals
coming from AD. For older versions you should add a workaround which is
e.g. described at the end of
https://www.redhat.com/archives/freeipa-users/2016-November/msg00069.html
HTH
bye,
Sumit
I am using an up-to-date RHEL 7.3 IPA master. Is there no possibility to
override it?
Please check on the server with
ipa trust-find
if the BCC domain is listed as 'UPN suffixes:'. If not please try
ipa trust-fetch-domains
and check again. If the domain is listed then a 7.3 IPA client should be
able to detect it automatically on older clients you should set
'krb5_use_enterprise_principal = True' manually in sssd.conf.
I just checked with our AD guys. ipa trust-find only shows five UPN
suffixes. There are many more which are not shown inlcuding bcc.mydomain.at
Any idea why only a subset is shown?
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
