On 03/27/2015 02:01 PM, Orion Poplawski wrote:
I've got IPA running on an EL7.1 box for the domain NWRA.COM
trust with our active directory domain (AD.NWRA.COM
). The trust seem to be
working mostly correctly, I can auto-login with AD kerberos tickets for example.
However, password authentication for the AD users does not appear to be working:
$ su - orion(a)AD.NWRA.COM
su: Authentication failure
sssd log shows:
(Fri Mar 27 13:51:43 2015) [sssd[be[nwra.com]]] [krb5_auth_done]
used in the request [Orion Poplawski(a)AD.NWRA.COM] and returned UPN
[orion(a)AD.NWRA.COM] differ by more than just the case.
The UPN message seems like an issue. Ideas?
Indeed. This appears to be user error. Being the AD newbie that I am, I had
no idea that our logon UPNs do appear to be currently using the full name,
e.g. "Orion Poplawski(a)ad.nwra.com". Changing it to orion fixed it. I wonder
how this came to be.
Sorry for the noise, perhaps it will help someone in the future...
Technical Manager 303-415-9701 x222
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion(a)nwra.com
Boulder, CO 80301 http://www.nwra.com