On Thu, Jul 06, 2017 at 09:55:46AM +0200, Ronald Wimmer wrote:
On 2017-07-06 08:25, Robert Sturrock via FreeIPA-users wrote:
> [...]
> We have a test IPA server with HBAC allow_all and we can ssh to it reliably as a
regular user, but when we try to ssh as ‘first name.lastname@affiliate’ we see the
following exceptions in /var/log/sssd/krb5_child.log:
> [...]
I had a very similar problem in my environment. I had to add the UPN suffix
manually and there is a bug in SSSD related to this:
https://bugzilla.redhat.com/show_bug.cgi?id=1441077
This might causes issues later but currently, according to Alexander's
analysis, the UPN suffixes are missing on the server because they are
not announced by AD.
bye,
Sumit
>
> This bug might affect you. Sumit Bose would know for sure if it does.
>
> Regards,
> Ronald Wimmer