There are two ways for maintaining user principal names (UPNs) in Active Directory: - associate UPN suffixes with the forest root and then allow for each user account to choose UPN suffix for logon; - directly modify userPrincipalName attribute in LDAP
Both approaches lead to the same result: AD DC accepts user@UPN-Suffix as a proper principal in AS-REQ and TGS-REQ.
The latter (directly modify userPrincipalName) case has a consequence that this UPN suffix is not visible via netr_DsRGetForestTrustInformation DCE RPC call. As result, FreeIPA KDC will not know that a particular UPN suffix does belong to a trusted Active Directory forest. As result, SSSD will not be able to authenticate and validate this user from a trusted Active Directory forest.
This is especially true for one-word UPNs which otherwise wouldn't work properly on Kerberos level for both FreeIPA and Active Directory.
Administrators are responsible for amending the list of UPNs associated with the forest in this case. With this commit, an option is added to 'ipa trust-mod' that allows specifying arbitrary UPN suffixes to a trusted forest root.
Metadata Update from @pvoborni: - Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1461053
Issue linked to bug 1461053
Metadata Update from @mbabinsk: - Issue priority set to: critical - Issue set to the milestone: FreeIPA 4.5.2
ipa-4-5:
master:
Metadata Update from @mbabinsk: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.