AD allows to define forest-wide alternative domain suffixes. With this a user does not need to use his default/canonical Kerberos principal like user@group.department.company.com but can use an alias like user@company.com.
Typically the email domain is used as alternative domain suffix but it is important to note that the alternative domain suffix does not have to a be related to a DNS domain, i.e. it can only be reliable resolved by the AD DC.
To allow KDC of trusted domains to recognize the alternative domain suffixes AD make the list available e.g. via LDAP or RPC calls.
While (re-)discovering of AD forests IPA should read the list of alternative domain suffixes as well and use it to create suitable referrals when the IPA KDC receives request where user principals with the alternative domain suffix are used.
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=1287194 (Red Hat Enterprise Linux 7)
Alexander already prepared a design page and POC for this feature: http://www.freeipa.org/page/V4/Support_of_UPN_for_trusted_domains
Let me update the title so that it can be better discoverable.
master:
The wrong commit was pushed master:
The right version is here: master:
Metadata Update from @sbose: - Issue assigned to abbra - Issue set to the milestone: FreeIPA 4.4
Log in to comment on this ticket.