On Wed, 1 Apr 2015, Orion Poplawski wrote:
A mistake in an AD update set it to that. Obviously it should be orion@AD.NWRA.COM, and is fixed now. Do you still want the kinit trace for this configuration error?
I still see this as a bug in the AD provider. userPrincipalName in AD does *not* reliably map to the name of the user Principal. It's an alias for the username you can use at login, but it doesn't relate to kerberos AFAIK.
With our ldap/krb5 config (that we've *still* not switched over to use the ad provider), we use:
ldap_user_principal = checkundefinedattribute
This was, it hits an undefined attribute, and simply defaults to the reliably correct value.
jh