On 2017-07-06 08:25, Robert Sturrock via FreeIPA-users wrote:
[...] We have a test IPA server with HBAC allow_all and we can ssh to it reliably as a regular user, but when we try to ssh as ‘first name.lastname@affiliate’ we see the following exceptions in /var/log/sssd/krb5_child.log: [...]
I had a very similar problem in my environment. I had to add the UPN suffix manually and there is a bug in SSSD related to this: https://bugzilla.redhat.com/show_bug.cgi?id=1441077
This bug might affect you. Sumit Bose would know for sure if it does.
Regards, Ronald Wimmer