Red Hat Enterprise Linux Server release 7.3 ipa-server-4.4.0-14.el7_3.4.x86_64 389-ds-base-1.3.5.10-15.el7_3.x86_64 sssd-1.14.0-43.el7_3.11.x86_64
When looking at entries in the "cn=groups,cn=compat" tree, I noticed that the entries for windows groups have the realm portion of the group name in all caps. This is true for the comment, the dn and the cn. example: # domain us...@win.mydomain.com, groups, compat, ipa.mydomain.com dn: cn=domain us...@win.mydomain.com ,cn=groups,cn=compat,dc=ipa,dc=mydomain,dc=com memberUid: 123...@win.mydomain.com cn: domain us...@win.mydomain.com When I look at the entries in the "cn=users,cn=compat" tree, the realm portion of the user name is all lower case. Incidentally, these same user names are also all lowercase in the "memberUid" option on the groups above. example: # 123...@win.mydomain.com, users, compat, ipa.mydomain.com dn: uid=123...@win.mydomain.com,cn=users,cn=compat,dc=ipa,dc=mydomain,dc=com homeDirectory: /home/win.mydomain.com/123456 uid: 123...@win.mydomain.com Was this by design ? The reason I ask, is that when I try to use the "kinit" feature on our Solaris 10 systems (which is joined to the IPA domain) for this windows user, I get an error. [~]$ kinit Password for 123...@win.mydomain.com: kinit(v5): KDC reply did not match expectations while getting initial credentials If I run it like this: [~]$ kinit 123...@win.mydomain.com Password for 123...@win.mydomain.com: [~]$ klist Ticket cache: FILE:/tmp/krb5cc_1683378846 Default principal: 123...@win.mydomain.com Valid starting Expires Service principal 05/30/17 11:44:35 05/30/17 21:44:40 krbtgt/ win.mydomain....@win.mydomain.com renew until 06/06/17 11:44:35 I believe this is due to the fact that the Solaris 10 system is using the lowercase entry in the compat tree above. Here is the result of the ID command on this user: [~]$ id uid=1683378846(123...@win.mydomain.com) gid=1683378846( 123...@win.mydomain.com) I know this is a work around but I would prefer to make this easier on the end users. Any suggestions ? Robert Johnson
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org