FreeIPA 4.1.2 Trusted AD Users cannot login with UPN

Support for security such as Firewalls and securing linux
Post Reply
nathanpeters
Posts: 5
Joined: 2015/01/30 23:29:49

FreeIPA 4.1.2 Trusted AD Users cannot login with UPN

Post by nathanpeters » 2015/02/18 22:51:32

I have a FreeIPA 4.1.2 server running on Centos7 and it is trusting an AD 2012r2 level domain.
FreeIPA domain name : ipadomain.net
AD domain name : ad.otherdomain.net
The AD Domain has a UPN setup so users can be referred to as username@otherdomain.net (without having to put the ad. in front of it).

These AD users can login to windows resources using their shortened UPN without issue.
These AD users can login to FreeIPA machines just fine but must use the long name (username@ad.otherdomain.net). If they try with username@otherdomain.net it fails.

I noticed that support for enterprise principals was added in ssd 1.12 which I have, but it refers to only being available for AD if you connect AD directly to linux.

Is there a way to be able to use the enterprise principals featue to allow an AD user login to a linux machine joined to a FreeIPA domain that is trusting an AD domain with the UPN (user@otherdomain.net instead of user@ad.otherdomain.net)?

I tried adding krb5_use_enterprise_principal = True to the domain section of my sssd.conf file but that did not help.

Post Reply