Active Directory User Cannot Login When UserPrincipalName (UPN) is Different Than Default Realm When Using SSSD's AD Provider

Solution Verified - Updated -

Issue

Active Directory users have a UserPrincipalName attribute within Active Directory. According to Microsoft Documenation:

This attribute contains the UPN that is an Internet-style login name for a user based on the Internet standard RFC 822. The UPN is shorter than the distinguished name and easier to remember. By convention, this should map to the user email name. The value set for this attribute is equal to the length of the user's ID and the domain name.

If an Active Directory user has an "enterprise principal" other than that of the default realm, sssd will fail to log the user into a Red Hat Enterprise Linux 6.4+ system leveraging the ad provider.

Environment

  • Red Hat Enterprise Linux 6
  • sssd 1.9x

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content