I have somewhat of a unique situation which causes the userPrincipalName value in Active
Directory to use a public DNS domain as its realm, but the Active Directory was designed
with a private DNS domain.
For example, user John Smith would typically be
jsmith@example.local<mailto:jsmith@example.local> but his userPrincipalName is
jsmith@example.com<mailto:jsmith@example.com>.
Unfortunately when trying to authenticate with pam_sss, the "krb5" child process
will complain that the KDC is not local to the realm. The KDC might be something like
kdc.example.local, and in this instance the realm is
EXAMPLE.COM. Same situation if I try
to `kinit jsmith@EXAMPLE.COM`<mailto:jsmith@EXAMPLE.COM%60>, the error about the KDC
not being local to Realm occurs.
Is there some other way that sssd could construct the userPrincipalName instead of me
trying to create and populate a custom AD attribute?
--
Mike