On Wed, Apr 08, 2020 at 07:45:35AM +0200, Ronald Wimmer via FreeIPA-users wrote:
> On Tue, Jan 29, 2019 at 11:19:22AM +0100, Ronald Wimmer via
> FreeIPA-users wrote:
> ...
<
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> Since you redirected MYDOMAIN.AT to the IPA server in krb5.conf the
> client cannot properly send the UPN to an AD DC. You can disable UPN
> handling by setting 'ldap_user_principal = noSuchAttr' in the domain
> section of sssd.conf on the IPA servers. You have to wait until the SSSD
> cache on the server and the client are updated before the client would
> start using employeeNumber(a)a.mydomain.at. But I wonder if the
> redirection to the IPA server is needed in krb5.conf at all ...
> ...
<
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> If you replace this line with  .mydomain.at = LINUX.MYDOMAIN.AT I would
> expect that libkrb5 will use the LINUX.MYDOMAIN.AT realm whenever there
> is a DNS hostname from .mydomain.at is used. This way it should be
> possible to add AD DCs to the MYDOMAIN.AT section so that request which
> contain the realm explicitly like 'ronald.wimmer(a)MYDOMAIN.AT'
> would be send to an AD DCs.
Unfortunately, setting ldap_user_principal to NoSuchAttr was not enough in
order to make AD user login work. What else could I try? Which logs are
relevant here?
Hi,
thanks for you patience. Can you send the SSSD domain and krb5_child.log
with debug_level=9 in the [domain/...] section to understand why using
'ldap_user_principal = noSuchAttr' on the IPA servers does not help?
Have you tried the changes to the domain realm mapping in krb5.conf?
bye,
Sumit
Cheers,
Ronald
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...