On Thu, Apr 06, 2017 at 01:55:02PM +0200, Ronald Wimmer wrote: > On 2017-04-06 12:16, Sumit Bose wrote: > > On Thu, Apr 06, 2017 at 12:58:32PM +0200, Ronald Wimmer wrote: > > [...] > > > AD trust: > > > mydomain.at (forest root) > > > xyz (subdomain -> where myuser resides) > > > > > > BCC (appearing in krb5_child.log) is not a domain here. It is my company's > > > name and might derive from some information in the AD. > > Yes, it is about the userPrincipalName attribute read from AD. Which IPA > > server version do you use? Since RHEL-7.3 IPA supports those principals > > coming from AD. For older versions you should add a workaround which is > > e.g. described at the end of > > https://www.redhat.com/archives/freeipa-users/2016-November/msg00069.html > > > > HTH > > > > bye, > > Sumit > > I am using an up-to-date RHEL 7.3 IPA master. Is there no possibility to > override it?
Please check on the server with ipa trust-find if the BCC domain is listed as 'UPN suffixes:'. If not please try ipa trust-fetch-domains and check again. If the domain is listed then a 7.3 IPA client should be able to detect it automatically on older clients you should set 'krb5_use_enterprise_principal = True' manually in sssd.conf. HTH bye, Sumit > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project