Hi All,
We have IPA running in a one-way trust with our AD and it’s working well. However, there are a number of users who belong to an affiliated institution who are nonetheless present in our AD, but with a different UPN suffix to the trust domains. The particulars are:
IPA realm: IPA.LOCALDOMAIN
AD realms: STAFF.LOCALDOMAIN, STUDENT.LOCALDOMAIN
Regular users typically have a UPN of ‘firstname.lastname(a)staff.xn--localdomain-yi3f
The affiliated users have a UPN of ‘firstname.lastname@affiliate'
The trust relationship looks like this on the IPA server:
# ipa trustdomain-find
Realm name: STAFF.LOCALDOMAIN
Domain name: staff.localdomain
Domain NetBIOS name: STAFF
Domain Security Identifier: S-1-5-21-2593845812-3993450118-3195856661
Domain enabled: True
Domain name: student.localdomain
Domain NetBIOS name: STUDENT
Domain Security Identifier: S-1-5-21-3906414162-3274047707-1428844997
Domain enabled: True
----------------------------
Number of entries returned 2
——————————————
We have a test IPA server with HBAC allow_all and we can ssh to it reliably as a regular user, but when we try to ssh as ‘first name.lastname@affiliate’ we see the following exceptions in /var/log/sssd/krb5_child.log:
(Thu Jul 6 15:58:31 2017) [[sssd[krb5_child[46117]]]] [get_and_save_tgt] (0x0400): Attempting kinit for realm [IPA.LOCALDOMAIN]
(Thu Jul 6 15:58:31 2017) [[sssd[krb5_child[46117]]]] [get_and_save_tgt] (0x0020): 1296: [-1765328378][Client 'firstname.lastname\@AFFILIATE@IPA.LOCALDOMAIN' not found in Kerberos database]
(Thu Jul 6 15:58:31 2017) [[sssd[krb5_child[46117]]]] [map_krb5_error] (0x0020): 1365: [-1765328378][Client 'firstname.lastname\@AFFILIATE@IPA.LOCALDOMAIN' not found in Kerberos database]
(Thu Jul 6 15:58:31 2017) [[sssd[krb5_child[46117]]]] [k5c_send_data] (0x0200): Received error code 1432158209
(Thu Jul 6 15:58:31 2017) [[sssd[krb5_child[46117]]]] [main] (0x0400): krb5_child completed successfully
(The test environment is RHEL7.3, running ipa-server-4.4.0-14.el7_3.7.x86_64 and associated packages).
Is this version of IPA able to support trust users with a different UPN suffix, and if so, what special configuration is required to achieve this?
Regards,
Robert.