On Tue, May 26, 2020 at 05:06:21PM +0200, Ronald Wimmer via FreeIPA-users wrote:
On 13.05.20 15:08, Sumit Bose via FreeIPA-users wrote:
> On Wed, Apr 08, 2020 at 07:45:35AM +0200, Ronald Wimmer via FreeIPA-users wrote:
> > > On Tue, Jan 29, 2019 at 11:19:22AM +0100, Ronald Wimmer via
> > > FreeIPA-users wrote:
> > > ...
<
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> > > Since you redirected MYDOMAIN.AT to the IPA server in krb5.conf the
> > > client cannot properly send the UPN to an AD DC. You can disable UPN
> > > handling by setting 'ldap_user_principal = noSuchAttr' in the
domain
> > > section of sssd.conf on the IPA servers. You have to wait until the SSSD
> > > cache on the server and the client are updated before the client would
> > > start using employeeNumber(a)a.mydomain.at. But I wonder if the
> > > redirection to the IPA server is needed in krb5.conf at all ...
> > > ...
<
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> > > If you replace this line with ÃÂ .mydomain.at = LINUX.MYDOMAIN.AT I
would
> > > expect that libkrb5 will use the LINUX.MYDOMAIN.AT realm whenever there
> > > is a DNS hostname from .mydomain.at is used. This way it should be
> > > possible to add AD DCs to the MYDOMAIN.AT section so that request which
> > > contain the realm explicitly like
'ronald.wimmer(a)MYDOMAIN.AT'
> > > would be send to an AD DCs.
> >
> > Unfortunately, setting ldap_user_principal to NoSuchAttr was not enough in
> > order to make AD user login work. What else could I try? Which logs are
> > relevant here?
>
> Hi,
>
> thanks for you patience. Can you send the SSSD domain and krb5_child.log
> with debug_level=9 in the [domain/...] section to understand why using
> 'ldap_user_principal = noSuchAttr' on the IPA servers does not help?
When I set ldap_user_principal to noSuchAttr on an IPA server and do a "id
myusername" it seems I am waiting forever. Would realm mapping in krb5.conf
be sufficient in an IPA client's krb5.conf file or would i have to do that
on an IPA server as well?
Hi,
the '.mydomain.at = LINUX.MYDOMAIN' change in the [domain_realm] section
and the change of the MYDOMAIN.AT from [realms] to point to an AD DC can
be done on the clients only. But if you want to let AD users
authenticate on the IPA servers you might need similar changes as well.
Btw, if you set 'dns_lookup_kdc = true' you can remove the MYDOMAIN.AT
section from [realms] at all.
bye,
Sumit
Cheers,
Ronald
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...