On Wed, Apr 01, 2015 at 09:03:07AM +0100, John Hodrien wrote:
On Wed, 1 Apr 2015, Orion Poplawski wrote:
A mistake in an AD update set it to that. Obviously it should be orion@AD.NWRA.COM, and is fixed now. Do you still want the kinit trace for this configuration error?
I still see this as a bug in the AD provider.
I agree, I would expect the AD provider to handle this with canonicalization.
But I'm not sure the krb5 trace would be useful now if the UPN value has been re-set on the AD side..
userPrincipalName in AD does *not* reliably map to the name of the user Principal. It's an alias for the username you can use at login, but it doesn't relate to kerberos AFAIK.
With our ldap/krb5 config (that we've *still* not switched over to use the ad provider), we use:
ldap_user_principal = checkundefinedattribute
This was, it hits an undefined attribute, and simply defaults to the reliably correct value.
jh _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users