I have somewhat of a unique situation which causes the userPrincipalName value in Active Directory to use a public DNS domain as its realm, but the Active Directory was designed with a private DNS domain.

 

For example, user John Smith would typically be jsmith@example.local but his userPrincipalName is jsmith@example.com.

 

Unfortunately when trying to authenticate with pam_sss, the “krb5” child process will complain that the KDC is not local to the realm.  The KDC might be something like kdc.example.local, and in this instance the realm is EXAMPLE.COM.  Same situation if I try to `kinit jsmith@EXAMPLE.COM`, the error about the KDC not being local to Realm occurs.

 

Is there some other way that sssd could construct the userPrincipalName instead of me trying to create and populate a custom AD attribute?

--

Mike