On Wed, Feb 08, 2017 at 12:44:07PM +0100, Troels Hansen wrote: > Hi, > > Have you tried setting ldap_user_principal to something nonexisting? For > example: > > ldap_user_principal = nosuchattr > > and inherit this to the AD domain with: > > subdomain_inherit = ldap_user_principal > > Both in the domain section of sssd.
Enterprise principals are supported by IPA since RHEL 7.3, so this work-around for older versions should not be needed anymore. > > ----- On Feb 8, 2017, at 12:17 PM, Jan Karásek [email protected] wrote: > > > Hi, thank you for help. > > > > I am running RHEL 7.3 on IPA serveres and with RHEL 7.3 clients it works > > really > > nice. > > Trouble is on RHEL 6 machines. I have tried to add > > krb5_use_enterprise_principal > > = true into domain section of sssd.conf on RHEL 6 IPA clients but problem > > still > > persists. Is there anything else that should be set ? I have restarted sssd > > service, both on servers and client, empty sssd_cache and so on but I am > > still > > unable resolve users(on RHEL 6) with short UPN - id and getent passwd > > return no > > such user...We still have more servers on RHEL 6 then on RHEL 7. SSSD logs from a RHEL 6 client which includes a failing user lookup are needed to see why it is still failing, see https://fedorahosted.org/sssd/wiki/Troubleshooting for details. bye, Sumit > > > > Thanks, > > Jan > > > > > >> Hi, > >> > >> I just looked into RHEL 6.9 beta repos and I can see there is > >> sssd-client-1.13.3-53.el6.x86_64 version. I would like to know if with > >> rhel 6.9 > >> will come support for using different UPN then domain name. I am talking > >> about > >> AD trust scenario where user in AD domain sits in > >> [email protected] > >> but has a UPN set to [email protected]. It has been solved in RHEL 7.3 I > >> guess > >> with sssd 1.14. Is ipa-client in RHEL 6.9 able to handle this situation or > >> is > >> there any known workaround ? > > > > This is basically a server side feature. You need an IPA server version > > which is delivered with RHEL-7.3. SSSD 1.14 in 7.3 can automatically > > detect if the server supports this or not. This autodetection was not > > backported to 6.9 but if your servers support it you can set > > 'krb5_use_enterprise_principal = true' (see man sssd-krb5 for details) > > on the IPA clients with older SSSD versions. > > > > HTH > > > > bye, > > Sumit > > > >> > >> Thanks, > >> Jan > >> > > > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > Go to http://freeipa.org for more info on the project > > -- > Med venlig hilsen > > Troels Hansen > > Systemkonsulent > > Casalogic A/S > > > T (+45) 70 20 10 63 > > M (+45) 22 43 71 57 > > Red Hat, SUSE, VMware, Citrix, Novell, Yellowfin BI, EnterpriseDB, Sophos og > meget mere. > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
