Freeipa Authentication Failure in AD Trust setup


Authentication fails for AD users on RHEL system in an Freeipa/AD trusted environment.

The following errors can be found in the logs:

Assumptions and context:

In the context above, IDM clients will try to use the (derived from the UPN) realm to authenticate into Linux machines.

The RHEL client will use as realm and try to discover KDC for through DNS requests, which will return “no such name” (can be seen in a tcpdump trace).


The solution is to “trick” Freeipa into using the domain passed at the SSH command line by the user ( derived from user fqdn

On all Freeipa servers, in /etc/sssd/sssd.conf, add in the relevant domain section for the trust:

subdomain_inherit = ldap_user_principal  # <--- this option
ldap_user_principal = nosuchattr    # <--- this option

Clear the cache on IDM servers and IDM clients with:

systemctl stop sssd && rm -fr /var/lib/sssd/db/* && systemctl start sssd

Restart ipa:

systemctl restart ipa

Attempt a connection with:



The UPN domain is used first, but in this context the domain cannot be resolved. We have to force IDM clients to use the domain passed at the CLI and ignore the UPN.

Thanks for reading this post!

Did you find an issue in this article?

- click on the following Github link
- log into Github with your account
- click on the line number containing the error
- click on the "..." button
- choose "Reference in new issue"
- add a title and your comment
- click "Submit new issue"

Your feedback is much appreciated! 🤜🏼🤛🏼

You can also drop me a line below!