I sucessfully registered my server server5.mydomain.at. After setting up
an appropriate HBAC rule as well as setting the default domain in the
sssd.conf to a.mydomain.at I tried to connect to the server via SSH using:
myusername(a)MYDOMAIN.AT
This fails because the UPN seems to be picked:
[sssd[krb5_child[24704]]]: Client 'ronald.wimmer(a)MYDOMAIN.AT' not found
in Kerberos database
(After the migration to Office365 the UPN looks like
name.surname(a)mydomain.at.)
On other IPA clients the correct user is taken.
(employeeNumber(a)a.mydomain.at)
My /etc/krb5.conf looks like this:
[libdefaults]
default_realm = MYDOMAIN.AT
dns_lookup_realm = false
dns_lookup_kdc = false
rdns = false
dns_canonicalize_hostname = false
ticket_lifetime = 24h
forwardable = true
udp_preference_limit = 0
default_ccache_name = KEYRING:persistent:%{uid}
[realms]
LINUX.MYDOMAIN.AT = {
kdc = ipa2.linux.mydomain.at:88
master_kdc = ipa2.linux.mydomain.at:88
admin_server = ipa2.linux.mydomain.at:749
kpasswd_server = ipa2.linux.mydomain.at:464
default_domain = linux.mydomain.at
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
MYDOMAIN.AT = {
kdc = ipa2.linux.mydomain.at:88
master_kdc = ipa2.linux.mydomain.at:88
admin_server = ipa2.linux.mydomain.at:749
kpasswd_server = ipa2.linux.mydomain.at:464
default_domain = mydomain.at
pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
}
[domain_realm]
.linux.mydomain.at = LINUX.MYDOMAIN.AT
linux.mydomain.at = LINUX.MYDOMAIN.AT
server5.mydomain.at = LINUX.MYDOMAIN.AT
.mydomain.at = MYDOMAIN.AT
Why is this happening and what could I try?
Cheers,
Ronald