On Tue, May 10, 2016 at 02:17:07PM +0200, Jan Karásek wrote:
> Hi all,
> I have lab environment with IPA server and trust to Active directory.
> IPA server is in a.example.com.
> AD DC is in example.com.
> We have also child AD subdomain ext.examle.com.
> Everything is fine until the users in AD domain ext.example.com gets the UPN
> suffix of the root AD domain - example.com - which is pretty common scenario.
> Example:
> user at ext.examaple.com is set in AD with UPN user at example.com
>
> In this situation I am not able to login into my linux box with user at
> example.com
> I have seen some open tickets on this issue 3559 and others, and they are
> marked as fixed in IPA 4.2 ... but I not sure if its already fixed in current
> packages.
> Currently I am testing on RHEL7 with ipa-server-4.2.0-15.el7_2.6.1.x86_64 and
> the same situation is on Fedora 23 with freeipa-server-4.2.4-1.fc23.x86_64.
> I have default settings - no changes in krb5.conf and sssd.conf after ipa
> trust-add.
> Also I have found the workaround to set in krb5.conf (see topic: Cannot find
> KDC for realm "MYDOMAIN.NET" - AD trust and UPN issues in RH archive ) - add
> another realm just with EXT.EXAMPLE.COM = { kdc = ad.ext.example.com:88 } -
> but no effect.
> Could you please confirm, that its possible to use IPA with different UPN
> suffix for users in AD than the domain name in which they are exists ? Is
> there any additional configuration needed to fix this scenario ?
In general no, not until 7.3. But it might work with a workaround. Can
you try setting:
ldap_user_principal = nosuchattr
subdomain_inherit = ldap_user_principal
in sssd.conf's domain section on the server? (Yes, server, not client..)
This should work without the workaround starting with 7.3..
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project