On 06/25/2015 12:56 PM, Sumit Bose wrote: > On Thu, Jun 25, 2015 at 12:22:16PM +0200, Giorgio Biacchi wrote: >> On 06/24/2015 06:45 PM, Sumit Bose wrote: >>> On Wed, Jun 24, 2015 at 05:11:07PM +0200, Giorgio Biacchi wrote: >>>> Hi everybody, >>>> I established a bidirectional trust between an IPA server (version 4.1.0 on >>>> CentOS 7.1), ipa.mydomain.local and an AD (Windows 2012 r2), >>>> mydomain.local. >>>> Everything is working fine, and I'm able to authenticate and logon on a >>>> linux >>>> host joined to IPA server using AD credentials (username@mydomain.local). >>>> But active directory is configured with two more UPN suffixes >>>> (otherdomain.com >>>> and sub.otherdomain.com), and I cannot logon with credentials using >>>> alternative >>>> UPN (example: john....@otherdomain.com). >>>> >>>> How can I make this possible? Another trust (ipa trust-add) with the same >>>> AD? >>>> Manual configuration of krb5 and/or sssd? >>> >>> Have you tried to login to an IPA client or the server? Please try with >>> an IPA server first. If this does not work it would be nice if you can >>> send the SSSD log files from the IPA server which are generated during >>> the logon attempt. Please call 'sss_cache -E' before to invalidate all >>> cached entries so that the logs will contain all needed calls to AD. >>> >>> Using UPN suffixes were added to the AD provider some time ago and the >>> code is available in the IPA provider as well, but I guess no one has >>> actually tried this before. >>> >>> bye, >>> Sumit >> >> First of all let me say that i feel like I'm missing some config somewhere.. >> Changes tried in krb5.conf to support UPN suffixes didn't helped. >> I can only access the server vi ssh so I've attached the logs for a >> successful >> login for account1@mydomain.local and an unsuccessful login for >> accou...@otherdomain.com done via ssh. >> >> Bye and thanks for your help >> > > It looks like the request is not properly propagated to sub-domains (the > trusted AD domain) but only send to the IPA domain. > > Would it be possible for you to run a test build of SSSD which might fix > this? If yes, which version of SSSD are you currently using? Then I can > prepare a test build with the patch on top of this version. > > bye, > Sumit >
Hi, I'm using sssd 1.12.2 (sssd --version) on CentOS 7.1.1503 and I'm available for any test. Here's the packages version for sssd: sssd-common-1.12.2-58.el7_1.6.x86_64 sssd-krb5-1.12.2-58.el7_1.6.x86_64 python-sssdconfig-1.12.2-58.el7_1.6.noarch sssd-krb5-common-1.12.2-58.el7_1.6.x86_64 sssd-ipa-1.12.2-58.el7_1.6.x86_64 sssd-1.12.2-58.el7_1.6.x86_64 sssd-libwbclient-1.12.2-58.el7_1.6.x86_64 sssd-ad-1.12.2-58.el7_1.6.x86_64 sssd-ldap-1.12.2-58.el7_1.6.x86_64 sssd-common-pac-1.12.2-58.el7_1.6.x86_64 sssd-proxy-1.12.2-58.el7_1.6.x86_64 sssd-client-1.12.2-58.el7_1.6.x86_64 Thanks again -- gb PGP Key: http://pgp.mit.edu/ Primary key fingerprint: C510 0765 943E EBED A4F2 69D3 16CC DC90 B9CB 0F34 -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project