Hi Community,
Cannot authenticate using user's secondary email as an alternative name
(need to setup an email server with several virtual domains).
According to https://bugzilla.redhat.com/show_bug.cgi?id=1328552 this is
expected to work but seems I'm missing something.
Created a fresh VM just to deal with the issue:
[root@mgsauth02 ol]# cat /etc/fedora-release
Fedora release 37 (Thirty Seven)
[root@mgsauth02 ol]# ipa --version
VERSION: 4.10.1, API_VERSION: 2.251
all packages updated.
Repeating commands from the testscript
https://bugzilla.redhat.com/show_bug.cgi?id=1328552#c13
[root@mgsauth02 ol]# ipa user-add tuser --first test --last user --password
Password:
Enter Password again to verify:
------------------
Added user "tuser"
------------------
User login: tuser
First name: test
Last name: user
Full name: test user
Display name: test user
Initials: tu
Home directory: /home/tuser
GECOS: test user
Login shell: /bin/sh
Principal name: tu...@testrelm.co
Principal alias: tu...@testrelm.co
User password expiration: 20221224134753Z
Email address: tu...@testrelm.co
UID: 1563000004
GID: 1563000004
Password: True
Member of groups: ipausers
Kerberos keys available: True
[root@mgsauth02 ol]# kinit admin
Password for ad...@testrelm.co:
[root@mgsauth02 ol]# ipa user-add-principal tuser talias talias\\@ent.test
---------------------------------
Added new aliases to user "tuser"
---------------------------------
User login: tuser
Principal alias: tu...@testrelm.co, talias\@ent.t...@testrelm.co,
tal...@testrelm.co
[root@mgsauth02 ol]# kinit talias
Password for tal...@testrelm.co:
Password expired. You must change it now.
Enter new password:
Enter it again:
[root@mgsauth02 ol]# klist
Ticket cache: KCM:0:60382
Default principal: tu...@testrelm.co
Valid starting Expires Service principal
12/24/2022 13:51:02 12/25/2022 13:10:41 krbtgt/testrelm...@testrelm.co
[root@mgsauth02 ol]# kinit -C talias
Password for tal...@testrelm.co:
[root@mgsauth02 ol]# klist
Ticket cache: KCM:0:52413
Default principal: tu...@testrelm.co
Valid starting Expires Service principal
12/24/2022 13:52:32 12/25/2022 13:18:25 krbtgt/testrelm...@testrelm.co
=== So far OK. But when trying alias in email-form:
[root@mgsauth02 ol]# kinit talias\\@ent.test
kinit: Client 'talias\@ent.t...@testrelm.co' not found in Kerberos
database while getting initial credentials
[root@mgsauth02 ol]# kinit -E talias\\@ent.test
kinit: Client 'talias\@ent.t...@testrelm.co' not found in Kerberos
database while getting initial credentials
And the following appears in /var/log/krb5kdc.log:
Dec 24 13:54:32 mgsauth02.infra.smartshell.gg krb5kdc[1119](info):
AS_REQ (6 etypes {aes256-cts-hmac-sha1-96(18),
aes256-cts-hmac-sha384-192(20), camellia256-cts-cmac(26),
aes128-cts-hmac-sha256-128(19), aes128-cts-hmac-sha1-96(17),
camellia128-cts-cmac(25)}) 10.255.0.252: CLIENT_NOT_FOUND:
talias\@ent.t...@testrelm.co for krbtgt/testrelm...@testrelm.co, Client
not found in Kerberos database
Dec 24 13:54:32 mgsauth02.infra.smartshell.gg krb5kdc[1119](info):
closing down fd 11
Tried adding "|krb5_use_enterprise_principal = True|" to sssd.conf as
mentioned in
https://www.freeipa.org/page/V4/Support_of_UPN_for_trusted_domains but
without any change .
Any advice, please?
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
