Hi All,
We have IPA running in a one-way trust with our AD and it’s working well. However, there are a number of users who belong to an affiliated institution who are nonetheless present in our AD, but with a different UPN suffix to the trust domains. The particulars are:
IPA realm: IPA.LOCALDOMAIN AD realms: STAFF.LOCALDOMAIN, STUDENT.LOCALDOMAIN
Regular users typically have a UPN of ‘firstname.lastname@staff.localdomain’ The affiliated users have a UPN of ‘firstname.lastname@affiliate'
The trust relationship looks like this on the IPA server:
# ipa trustdomain-find Realm name: STAFF.LOCALDOMAIN Domain name: staff.localdomain Domain NetBIOS name: STAFF Domain Security Identifier: S-1-5-21-2593845812-3993450118-3195856661 Domain enabled: True
Domain name: student.localdomain Domain NetBIOS name: STUDENT Domain Security Identifier: S-1-5-21-3906414162-3274047707-1428844997 Domain enabled: True ---------------------------- Number of entries returned 2 ——————————————
We have a test IPA server with HBAC allow_all and we can ssh to it reliably as a regular user, but when we try to ssh as ‘first name.lastname@affiliate’ we see the following exceptions in /var/log/sssd/krb5_child.log:
(Thu Jul 6 15:58:31 2017) [[sssd[krb5_child[46117]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [IPA.LOCALDOMAIN] (Thu Jul 6 15:58:31 2017) [[sssd[krb5_child[46117]]]] [get_and_save_tgt] (0x0020): 1296: [-1765328378][Client 'firstname.lastname@AFFILIATE@IPA.LOCALDOMAIN' not found in Kerberos database] (Thu Jul 6 15:58:31 2017) [[sssd[krb5_child[46117]]]] [map_krb5_error] (0x0020): 1365: [-1765328378][Client 'firstname.lastname@AFFILIATE@IPA.LOCALDOMAIN' not found in Kerberos database] (Thu Jul 6 15:58:31 2017) [[sssd[krb5_child[46117]]]] [k5c_send_data] (0x0200): Received error code 1432158209 (Thu Jul 6 15:58:31 2017) [[sssd[krb5_child[46117]]]] [main] (0x0400): krb5_child completed successfully
(The test environment is RHEL7.3, running ipa-server-4.4.0-14.el7_3.7.x86_64 and associated packages).
Is this version of IPA able to support trust users with a different UPN suffix, and if so, what special configuration is required to achieve this?
Regards,
Robert.