On Wed, Apr 08, 2020 at 07:45:35AM +0200, Ronald Wimmer via
FreeIPA-users wrote:
>> On Tue, Jan 29, 2019 at 11:19:22AM +0100, Ronald Wimmer via
>> FreeIPA-users wrote:
>> ...
<
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>> Since you redirected MYDOMAIN.AT to the IPA server in krb5.conf the
>> client cannot properly send the UPN to an AD DC. You can disable UPN
>> handling by setting 'ldap_user_principal = noSuchAttr' in the domain
>> section of sssd.conf on the IPA servers. You have to wait until the SSSD
>> cache on the server and the client are updated before the client would
>> start using employeeNumber(a)a.mydomain.at. But I wonder if the
>> redirection to the IPA server is needed in krb5.conf at all ...
>> ...
<
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
>> If you replace this line with  .mydomain.at = LINUX.MYDOMAIN.AT I would
>> expect that libkrb5 will use the LINUX.MYDOMAIN.AT realm whenever there
>> is a DNS hostname from .mydomain.at is used. This way it should be
>> possible to add AD DCs to the MYDOMAIN.AT section so that request which
>> contain the realm explicitly like 'ronald.wimmer(a)MYDOMAIN.AT'
>> would be send to an AD DCs.
>
> Unfortunately, setting ldap_user_principal to NoSuchAttr was not enough in
> order to make AD user login work. What else could I try? Which logs are
> relevant here?
Hi,
thanks for you patience. Can you send the SSSD domain and krb5_child.log
with debug_level=9 in the [domain/...] section to understand why using
'ldap_user_principal = noSuchAttr' on the IPA servers does not help?
When I set ldap_user_principal to noSuchAttr on an IPA server and do a
"id myusername" it seems I am waiting forever. Would realm mapping in
krb5.conf be sufficient in an IPA client's krb5.conf file or would i
have to do that on an IPA server as well?
Cheers,
Ronald