On 03/27/2015 02:01 PM, Orion Poplawski wrote:
I've got IPA running on an EL7.1 box for the domain NWRA.COM. I established a trust with our active directory domain (AD.NWRA.COM). The trust seem to be working mostly correctly, I can auto-login with AD kerberos tickets for example.
However, password authentication for the AD users does not appear to be working:
$ su - orion@AD.NWRA.COM Password: su: Authentication failure
sssd log shows:
(Fri Mar 27 13:51:43 2015) [sssd[be[nwra.com]]] [krb5_auth_done] (0x0020): UPN used in the request [Orion Poplawski@AD.NWRA.COM] and returned UPN [orion@AD.NWRA.COM] differ by more than just the case.
The UPN message seems like an issue. Ideas?
Indeed. This appears to be user error. Being the AD newbie that I am, I had no idea that our logon UPNs do appear to be currently using the full name, e.g. "Orion Poplawski@ad.nwra.com". Changing it to orion fixed it. I wonder how this came to be.
Sorry for the noise, perhaps it will help someone in the future...