On Wed, Apr 01, 2015 at 09:03:07AM +0100, John Hodrien wrote:
On Wed, 1 Apr 2015, Orion Poplawski wrote:
>A mistake in an AD update set it to that. Obviously it should be
>orion(a)AD.NWRA.COM, and is fixed now. Do you still want the kinit trace
>for this configuration error?
I still see this as a bug in the AD provider.
I agree, I would expect the AD provider to handle this with canonicalization.
But I'm not sure the krb5 trace would be useful now if the UPN value has
been re-set on the AD side..
userPrincipalName in AD does
*not* reliably map to the name of the user Principal. It's an alias for the
username you can use at login, but it doesn't relate to kerberos AFAIK.
With our ldap/krb5 config (that we've *still* not switched over to use the ad
provider), we use:
ldap_user_principal = checkundefinedattribute
This was, it hits an undefined attribute, and simply defaults to the
reliably correct value.
sssd-users mailing list