Re: [Freeipa-users] ipa- client rhel 6.9 support for UPN different then domain name
On Wed, Feb 08, 2017 at 12:44:07PM +0100, Troels Hansen wrote: > Hi, > > Have you tried setting ldap_user_principal to something nonexisting? For > example: > > ldap_user_principal = nosuchattr > > and inherit this to the AD domain with: > > subdomain_inherit = ldap_user_principal > > Both in the domain section of sssd. Enterprise principals are supported by IPA since RHEL 7.3, so this work-around for older versions should not be needed anymore. > > - On Feb 8, 2017, at 12:17 PM, Jan Karásek jan.kara...@elostech.cz wrote: > > > Hi, thank you for help. > > > > I am running RHEL 7.3 on IPA serveres and with RHEL 7.3 clients it works > > really > > nice. > > Trouble is on RHEL 6 machines. I have tried to add > > krb5_use_enterprise_principal > > = true into domain section of sssd.conf on RHEL 6 IPA clients but problem > > still > > persists. Is there anything else that should be set ? I have restarted sssd > > service, both on servers and client, empty sssd_cache and so on but I am > > still > > unable resolve users(on RHEL 6) with short UPN - id and getent passwd > > return no > > such user...We still have more servers on RHEL 6 then on RHEL 7. SSSD logs from a RHEL 6 client which includes a failing user lookup are needed to see why it is still failing, see https://fedorahosted.org/sssd/wiki/Troubleshooting for details. bye, Sumit > > > > Thanks, > > Jan > > > > > >> Hi, > >> > >> I just looked into RHEL 6.9 beta repos and I can see there is > >> sssd-client-1.13.3-53.el6.x86_64 version. I would like to know if with > >> rhel 6.9 > >> will come support for using different UPN then domain name. I am talking > >> about > >> AD trust scenario where user in AD domain sits in > >> u...@subdomain.example.com > >> but has a UPN set to u...@example.com. It has been solved in RHEL 7.3 I > >> guess > >> with sssd 1.14. Is ipa-client in RHEL 6.9 able to handle this situation or > >> is > >> there any known workaround ? > > > > This is basically a server side feature. You need an IPA server version > > which is delivered with RHEL-7.3. SSSD 1.14 in 7.3 can automatically > > detect if the server supports this or not. This autodetection was not > > backported to 6.9 but if your servers support it you can set > > 'krb5_use_enterprise_principal = true' (see man sssd-krb5 for details) > > on the IPA clients with older SSSD versions. > > > > HTH > > > > bye, > > Sumit > > > >> > >> Thanks, > >> Jan > >> > > > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > -- > Med venlig hilsen > > Troels Hansen > > Systemkonsulent > > Casalogic A/S > > > T (+45) 70 20 10 63 > > M (+45) 22 43 71 57 > > Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og > meget mere. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa- client rhel 6.9 support for UPN different then domain name
Hi, Have you tried setting ldap_user_principal to something nonexisting? For example: ldap_user_principal = nosuchattr and inherit this to the AD domain with: subdomain_inherit = ldap_user_principal Both in the domain section of sssd. - On Feb 8, 2017, at 12:17 PM, Jan Karásek jan.kara...@elostech.cz wrote: > Hi, thank you for help. > > I am running RHEL 7.3 on IPA serveres and with RHEL 7.3 clients it works > really > nice. > Trouble is on RHEL 6 machines. I have tried to add > krb5_use_enterprise_principal > = true into domain section of sssd.conf on RHEL 6 IPA clients but problem > still > persists. Is there anything else that should be set ? I have restarted sssd > service, both on servers and client, empty sssd_cache and so on but I am still > unable resolve users(on RHEL 6) with short UPN - id and getent passwd return > no > such user...We still have more servers on RHEL 6 then on RHEL 7. > > Thanks, > Jan > > >> Hi, >> >> I just looked into RHEL 6.9 beta repos and I can see there is >> sssd-client-1.13.3-53.el6.x86_64 version. I would like to know if with rhel >> 6.9 >> will come support for using different UPN then domain name. I am talking >> about >> AD trust scenario where user in AD domain sits in u...@subdomain.example.com >> but has a UPN set to u...@example.com. It has been solved in RHEL 7.3 I guess >> with sssd 1.14. Is ipa-client in RHEL 6.9 able to handle this situation or is >> there any known workaround ? > > This is basically a server side feature. You need an IPA server version > which is delivered with RHEL-7.3. SSSD 1.14 in 7.3 can automatically > detect if the server supports this or not. This autodetection was not > backported to 6.9 but if your servers support it you can set > 'krb5_use_enterprise_principal = true' (see man sssd-krb5 for details) > on the IPA clients with older SSSD versions. > > HTH > > bye, > Sumit > >> >> Thanks, >> Jan >> > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Med venlig hilsen Troels Hansen Systemkonsulent Casalogic A/S T (+45) 70 20 10 63 M (+45) 22 43 71 57 Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og meget mere. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa- client rhel 6.9 support for UPN different then domain name
Hi, thank you for help. I am running RHEL 7.3 on IPA serveres and with RHEL 7.3 clients it works really nice. Trouble is on RHEL 6 machines. I have tried to add krb5_use_enterprise_principal = true into domain section of sssd.conf on RHEL 6 IPA clients but problem still persists. Is there anything else that should be set ? I have restarted sssd service, both on servers and client, empty sssd_cache and so on but I am still unable resolve users(on RHEL 6) with short UPN - id and getent passwd return no such user...We still have more servers on RHEL 6 then on RHEL 7. Thanks, Jan > Hi, > > I just looked into RHEL 6.9 beta repos and I can see there is > sssd-client-1.13.3-53.el6.x86_64 version. I would like to know if with rhel > 6.9 will come support for using different UPN then domain name. I am talking > about AD trust scenario where user in AD domain sits in > u...@subdomain.example.com but has a UPN set to u...@example.com. It has been > solved in RHEL 7.3 I guess with sssd 1.14. Is ipa-client in RHEL 6.9 able to > handle this situation or is there any known workaround ? This is basically a server side feature. You need an IPA server version which is delivered with RHEL-7.3. SSSD 1.14 in 7.3 can automatically detect if the server supports this or not. This autodetection was not backported to 6.9 but if your servers support it you can set 'krb5_use_enterprise_principal = true' (see man sssd-krb5 for details) on the IPA clients with older SSSD versions. HTH bye, Sumit > > Thanks, > Jan > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] ipa- client rhel 6.9 support for UPN different then domain name
On Thu, Feb 02, 2017 at 04:57:05PM +0100, Jan Karásek wrote: > Hi, > > I just looked into RHEL 6.9 beta repos and I can see there is > sssd-client-1.13.3-53.el6.x86_64 version. I would like to know if with rhel > 6.9 will come support for using different UPN then domain name. I am talking > about AD trust scenario where user in AD domain sits in > u...@subdomain.example.com but has a UPN set to u...@example.com. It has been > solved in RHEL 7.3 I guess with sssd 1.14. Is ipa-client in RHEL 6.9 able to > handle this situation or is there any known workaround ? This is basically a server side feature. You need an IPA server version which is delivered with RHEL-7.3. SSSD 1.14 in 7.3 can automatically detect if the server supports this or not. This autodetection was not backported to 6.9 but if your servers support it you can set 'krb5_use_enterprise_principal = true' (see man sssd-krb5 for details) on the IPA clients with older SSSD versions. HTH bye, Sumit > > Thanks, > Jan > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] ipa- client rhel 6.9 support for UPN different then domain name
Hi, I just looked into RHEL 6.9 beta repos and I can see there is sssd-client-1.13.3-53.el6.x86_64 version. I would like to know if with rhel 6.9 will come support for using different UPN then domain name. I am talking about AD trust scenario where user in AD domain sits in u...@subdomain.example.com but has a UPN set to u...@example.com. It has been solved in RHEL 7.3 I guess with sssd 1.14. Is ipa-client in RHEL 6.9 able to handle this situation or is there any known workaround ? Thanks, Jan -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
