On Wed, 1 Apr 2015, Orion Poplawski wrote:
A mistake in an AD update set it to that. Obviously it should be
orion(a)AD.NWRA.COM, and is fixed now. Do you still want the kinit trace for
this configuration error?
I still see this as a bug in the AD provider. userPrincipalName in AD does
*not* reliably map to the name of the user Principal. It's an alias for the
username you can use at login, but it doesn't relate to kerberos AFAIK.
With our ldap/krb5 config (that we've *still* not switched over to use the ad
provider), we use:
ldap_user_principal = checkundefinedattribute
This was, it hits an undefined attribute, and simply defaults to the
reliably correct value.