On Mon, Apr 10, 2017 at 11:49:05AM +0200, Ronald Wimmer wrote: > On 2017-04-07 10:28, Sumit Bose wrote: > > [...] > > I'm not aware of any limitation here. Have you tried to run 'ipa > > trust-fetch-domains ad.forest.root' to update the list? > > > > If this does not help please add 'log level = 100' to > > /usr/share/ipa/smb.conf.empty so that it looks like: > > > > [global] > > log level = 100 > > > > and run trust-fetch-domains again. The debug output can then be found > > in /var/log/httpd/error_log. [...] > > Not one error in the error_log - absolutely nothing. Our AD guys confirmed > that there are many more UPN suffixes than the five I can see when I run ipa > trust-find. > > Can somebody confirm that this UPN suffix mismatch is exactly the problem > preventing password-based login in my case?
To close the thread, it turned out that the original issue with authenticating with enterprise principals is a bug which is now tracked by https://bugzilla.redhat.com/show_bug.cgi?id=1441077. bye, Sumit > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
