On Wed, Sep 26, 2012 at 07:37:50PM +0000, Rosile, Mike wrote:
> I have somewhat of a unique situation which causes the userPrincipalName
> value in Active Directory to use a public DNS domain as its realm, but the
> Active Directory was designed with a private DNS domain.
>
> For example, user John Smith would typically be
> jsmith@example.local<mailto:jsmith@example.local> but his userPrincipalName
> is jsm...@example.com<mailto:jsm...@example.com>.
>
> Unfortunately when trying to authenticate with pam_sss, the "krb5" child
> process will complain that the KDC is not local to the realm. The KDC might
> be something like kdc.example.local, and in this instance the realm is
> EXAMPLE.COM. Same situation if I try to `kinit
> jsm...@example.com`<mailto:jsm...@example.com%60>, the error about the KDC
> not being local to Realm occurs.
>
> Is there some other way that sssd could construct the userPrincipalName
> instead of me trying to create and populate a custom AD attribute?
> --
> Mike
>
Would user@REALM (where REALM is the krb5_realm option value) be the
correct principal for you?
If so, then there is a simple workaround that Stephen Gallagher came up with --
you could set the ldap_user_principal config option to some attribute
that does not exist which would make the SSSD default to user@REALM..
Your situation is not as unique as you might think, this is actually the
second similar feature request we've gotten this week. I think we should
think about introducing a new option:
https://fedorahosted.org/sssd/ticket/1545
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
