On Thu, Jul 09, 2015 at 11:50:06AM +0200, Jan Pazdziora wrote: > On Thu, Jul 09, 2015 at 11:33:11AM +0200, Sumit Bose wrote: > > > > Most probable because ad...@example.test is the Kerberos principal of > > your user. If SSSD cannot find a matching user name and the name > > contains an '@' it tries to find a Kerberos principal which matches the > > full given name. > > But realms are case sensitive, aren't they? So while it should work > for ad...@example.test, it should not for ad...@example.test.
you are absolutely correct, not only realms but the whole principal is case-sensitive. But we want to play nice with AD users and make it easy to log in with the alternative domain suffix feature (some call it log in with email address because they often look the same) which is often used in larger forests. Since AD treats the names and principals case-in-sensitive most AD user will not know the correct spelling and so we treat them case-in-sensitive in SSSD as well. bye, Sumit > > -- > Jan Pazdziora > Senior Principal Software Engineer, Identity Management Engineering, Red Hat > _______________________________________________ > sssd-devel mailing list > sssd-devel@lists.fedorahosted.org > https://lists.fedorahosted.org/mailman/listinfo/sssd-devel _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
