#5354 [RFE] Support of UPN for trusted domains
Closed: Fixed None Opened 8 years ago by sbose.

AD allows to define forest-wide alternative domain suffixes. With this a user does not need to use his default/canonical Kerberos principal like user@group.department.company.com but can use an alias like user@company.com.

Typically the email domain is used as alternative domain suffix but it is important to note that the alternative domain suffix does not have to a be related to a DNS domain, i.e. it can only be reliable resolved by the AD DC.

To allow KDC of trusted domains to recognize the alternative domain suffixes AD make the list available e.g. via LDAP or RPC calls.

While (re-)discovering of AD forests IPA should read the list of alternative domain suffixes as well and use it to create suitable referrals when the IPA KDC receives request where user principals with the alternative domain suffix are used.

Alexander already prepared a design page and POC for this feature:

Let me update the title so that it can be better discoverable.


  • 1858064 adtrust: remove nttrustpartner parameter

The wrong commit was pushed

  • 4780173 Revert "adtrust: remove nttrustpartner parameter"

The right version is here:

  • a0f953e adtrust: remove nttrustpartner parameter


  • bb75f5a adtrust: support UPNs for trusted domain users

Metadata Update from @sbose:
- Issue assigned to abbra
- Issue set to the milestone: FreeIPA 4.4

7 years ago

Login to comment on this ticket.