Thank you both very much for the fast responses! The UPN suffixes were already correctly listed by ipa.
krb5_use_enterprise_principal = True helped. In my scenario I additionally had to add domain_resolution_order = trusted-domain-a.com trusted-domain-b.com and I got this finally working! Thanks again, really appreciate it! Best, Florian On 16.03.22, 17:50, "Sumit Bose" <[email protected]> wrote: Am Wed, Mar 16, 2022 at 03:24:40PM -0000 schrieb Florian Wilhelm via FreeIPA-users: > We are successfully running a FreeIPA setup connected to an AD using kerberos > to authenticate. (IPA is used as provider). > Our windows domain name is not identical to our main mail domain. For some > users the User logon name in windows (the one with @ not the old pre-win2000 > one) is using a domain name which has no kerberos servers etc. In windows > authentication works perfectly, but in our IPA setup we run into a big issue. > > No matter which domain the user chooses to authenticate against our linux > servers, the linux server tries to authenticate against the kerberos servers > of the domain which has no servers. > In the krb5.conf we manually configured the kerberos servers of the windows > AD for this domain. Now we get [Realm not local to KDC] in the krb5_child.log. > > Is there any way to forcefully replace the domain name when authenticating? > We tried using auth_to_local without success so far. Hi, please try to add krb5_use_enterprise_principal = True to the [domain/...] section in sssd.conf, restart SSSD and try again. There is some logic implemented in SSSD to set the option to 'True' automatically for 'id_provider = ipa' but it might fail. Currently we cannot set it to 'True' by default because there might be some older IPA server versions still around which cannot handle this option properly. HTH bye, Sumit > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: [email protected] > <https://lists.fedorahosted.org/archives/list/<a > href=>">https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
