On Tue, Jan 29, 2019 at 11:19:22AM +0100, Ronald Wimmer via
FreeIPA-users wrote:
...
<
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Since you redirected MYDOMAIN.AT to the IPA server in krb5.conf the
client cannot properly send the UPN to an AD DC. You can disable UPN
handling by setting 'ldap_user_principal = noSuchAttr' in the domain
section of sssd.conf on the IPA servers. You have to wait until the
SSSD cache on the server and the client are updated before the client
would start using employeeNumber(a)a.mydomain.at. But I wonder if the
redirection to the IPA server is needed in krb5.conf at all ...
...
<
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
If you replace this line with .mydomain.at = LINUX.MYDOMAIN.AT I
would expect that libkrb5 will use the LINUX.MYDOMAIN.AT realm
whenever there is a DNS hostname from .mydomain.at is used. This way
it should be possible to add AD DCs to the MYDOMAIN.AT section so that
request which contain the realm explicitly like
'ronald.wimmer(a)MYDOMAIN.AT' would be send to an AD DCs.
Unfortunately, setting ldap_user_principal to NoSuchAttr was not enough
in order to make AD user login work. What else could I try? Which logs
are relevant here?
Cheers,
Ronald