From mapp.florian.wilhelm at gmail.com Thu Mar 17 14:47:27 2022 Content-Type: multipart/mixed; boundary="===============7959744165867205194==" MIME-Version: 1.0 From: Florian Wilhelm To: freeipa-users at lists.fedorahosted.org Subject: [Freeipa-users] Re: IPA AD Authentication not successfull if using alernative logon domain Date: Thu, 17 Mar 2022 14:47:12 +0000 Message-ID: < > In-Reply-To: YjIVQJHRxwR35Py4@sbose.users.ipa.redhat.com --===============7959744165867205194== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Thank you both very much for the fast responses! The UPN suffixes were already correctly listed by ipa. krb5_use_enterprise_principal =3D True helped. In my scenario I additionally had to add = domain_resolution_order =3D trusted-domain-a.com trusted-domain-b.com and I got this finally working! Thanks again, really appreciate it! Best, Florian =EF=BB=BFOn 16.03.22, 17:50, "Sumit Bose" wrote: Am Wed, Mar 16, 2022 at 03:24:40PM -0000 schrieb Florian Wilhelm via FreeIP= A-users: > We are successfully running a FreeIPA setup connected to an AD using kerb= eros to authenticate. (IPA is used as provider). > Our windows domain name is not identical to our main mail domain. For som= e users the User logon name in windows (the one with @ not the old pre-win2= 000 one) is using a domain name which has no kerberos servers etc. In windo= ws authentication works perfectly, but in our IPA setup we run into a big i= ssue. > = > No matter which domain the user chooses to authenticate against our linux= servers, the linux server tries to authenticate against the kerberos serve= rs of the domain which has no servers. > In the krb5.conf we manually configured the kerberos servers of the windo= ws AD for this domain. Now we get [Realm not local to KDC] in the krb5_chil= d.log. > = > Is there any way to forcefully replace the domain name when authenticatin= g? We tried using auth_to_local without success so far. Hi, please try to add krb5_use_enterprise_principal =3D True to the [domain/...] section in sssd.conf, restart SSSD and try again. There is some logic implemented in SSSD to set the option to 'True' automatically for 'id_provider =3D ipa' but it might fail. Currently we cannot set it to 'True' by default because there might be some older IPA server versions still around which cannot handle this option properly. HTH bye, Sumit > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.= org > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code= -of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: freeipa-users(a)lists.fedorahosted.org ">https://lists.fedorahosted.org/arch= ives/list/freeipa-users(a)lists.fedorahosted.org > Do not reply to spam on the list, report it: https://pagure.io/fedora-inf= rastructure --===============7959744165867205194==--