[Freeipa-users] Authenticating users with a different UPN suffix in an AD trust configuration

Wed, 05 Jul 2017 23:26:21 -0700 

Hi All,

We have IPA running in a one-way trust with our AD and it’s working well.  
However, there are a number of users who belong to an affiliated institution 
who are nonetheless present in our AD, but with a different UPN suffix to the 
trust domains.  The particulars are:

  IPA realm: IPA.LOCALDOMAIN
  AD realms: STAFF.LOCALDOMAIN, STUDENT.LOCALDOMAIN

  Regular users typically have a UPN of ‘firstname.lastname@staff.localdomain’
  The affiliated users have a UPN of ‘firstname.lastname@affiliate'

The trust relationship looks like this on the IPA server:

# ipa trustdomain-find
Realm name: STAFF.LOCALDOMAIN
  Domain name: staff.localdomain
  Domain NetBIOS name: STAFF
  Domain Security Identifier: S-1-5-21-2593845812-3993450118-3195856661
  Domain enabled: True

  Domain name: student.localdomain
  Domain NetBIOS name: STUDENT
  Domain Security Identifier: S-1-5-21-3906414162-3274047707-1428844997
  Domain enabled: True
----------------------------
Number of entries returned 2
——————————————

We have a test IPA server with HBAC allow_all and we can ssh to it reliably as 
a regular user, but when we try to ssh as ‘first name.lastname@affiliate’ we 
see the following exceptions in /var/log/sssd/krb5_child.log:

(Thu Jul  6 15:58:31 2017) [[sssd[krb5_child[46117]]]] [get_and_save_tgt] 
(0x0400): Attempting kinit for realm [IPA.LOCALDOMAIN]
(Thu Jul  6 15:58:31 2017) [[sssd[krb5_child[46117]]]] [get_and_save_tgt] 
(0x0020): 1296: [-1765328378][Client 
'firstname.lastname\@AFFILIATE@IPA.LOCALDOMAIN' not found in Kerberos database]
(Thu Jul  6 15:58:31 2017) [[sssd[krb5_child[46117]]]] [map_krb5_error] 
(0x0020): 1365: [-1765328378][Client 
'firstname.lastname\@AFFILIATE@IPA.LOCALDOMAIN' not found in Kerberos database]
(Thu Jul  6 15:58:31 2017) [[sssd[krb5_child[46117]]]] [k5c_send_data] 
(0x0200): Received error code 1432158209
(Thu Jul  6 15:58:31 2017) [[sssd[krb5_child[46117]]]] [main] (0x0400): 
krb5_child completed successfully

(The test environment is RHEL7.3, running ipa-server-4.4.0-14.el7_3.7.x86_64 
and associated packages).

Is this version of IPA able to support trust users with a different UPN suffix, 
and if so, what special configuration is required to achieve this?

Regards,

Robert.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to