On Wed, Feb 04, 2015 at 03:03:29PM +0600, Eugene Peregudov wrote:
Sumit Bose <sbose(a)redhat.com> писал(а) в своём письме Wed, 04
Feb 2015
14:09:05 +0600:
>On Wed, Feb 04, 2015 at 12:18:44PM +0600, Eugene Peregudov wrote:
>>Sumit Bose <sbose(a)redhat.com> писал(а) в своём письме Tue, 03 Feb 2015
>>16:56:40 +0600:
>>
>>>On Tue, Feb 03, 2015 at 04:17:39PM +0600, Eugene Peregudov wrote:
>>>>
>>>>Hi,
>>>>
>>>>I'm trying to authenticate Active Directory users with different UPN
>>>>suffixes on my Linux machine.
>>>>As described in article (
http://jhrozek.livejournal.com/3019.html)
>>SSSD
>>>>should support for enterprise logins:
>>>>"some users in AD might use a different Kerberos Principal suffix
than
>>>>the
>>>>default one".
>>>>
>>>>I have two users with different UPN - user1(a)domain.example.com and
>>>>user2(a)department.example.com
>>>>
>>>>#getent passwd user1(a)domain.example.com
>>>>
>>>>returns valid user entry, but
>>>>
>>>>#getent passwd user2(a)department.example.com
>>>>
>>>>returns nothing...
>>>>
>>>>What's wrong? Can anyone help me with this issue? Thanks!
>>>
>>>Can you send the related sssd_nss logs with debug_level 10 as well?
>>>
>>Thanks for answer!
>>sssd_nss.log is empty with specified debug_level 10 :(
>
>You have to set it explicitly in the [nss] section.
>
sssd_nss.log with debug_level 10:
--------------------------------------
Thank you for the logs, I just realized that you use sssd-1.11, the UPN
lookups are a 1.12 feature. You can find a recent sssd-1.12 build in
Lukas' copr repo
https://copr-be.cloud.fedoraproject.org/results/lslebodn/sssd-1-12/epel-7...
if you want to test this feature.
bye,
Sumit