It looks as though there is a solid requirement for usernames on the UNIX client and in the MSAD to match for kerberos authentication to function (I think LDAP authentication too). Is this absolutely the case?
Our infrastructure owners have a habit of changing the samaccountName without warning - implementing UNIX/MASD Kerberos/LDAP authentication like this becomes a bit of a nightmare in this situation.
Could we alter the user mapping module to reference a different AD attribute (that doesn't change) perhaps?
