[Freeipa-users] How far I can take the use of short unqualified names/groups with an AD integrated FreeIPA setup?

[Chris Dagdigian via FreeIPA-users]

Hi folks,

I've got a simple FreeIPA topology with a 1-way trust to a nice 
uncomplicated Active Directory environment. Unlike my other projects 
there is no complex AD forest or topology to navigate; just a single 
integrated domain.

Because of this we have short usernames working for login just fine; 
works great.  Instead of "ch...@domain.com" I can login as "chris"

However I was asked if it was possible to also use short  aka "not fully 
qualified" names when looking at local 'id', user and group info

Basically the question was if it was possible to use short names for 
everything including id views, getent output and group output

This is where my knowledge hits a wall -- I think this level of username 
and group handling is fed into NSS via IPA? If so is there a way to 
alter FreeIPA to use unqualified names -- presumably via altering or 
creating a new Trust View and applying it to the hosts?  Not really sure 
if this is sensible or even advisable but I've been asked to research

Here is an example:


## Short login works fine! my AD username is "dagdig...@example.com" ...
$ ssh dagdigian@172.17.0.57 <mailto:dagdigian@172.17.0.57>
Last login: Thu Oct 22 22:37:32 2020 from 10.10.210.63


## But user are asking about the OS view of usernames and groups:
## Is there a way to use non fully qualified names in these sorts of 
views, possibly via new Trust Views on the IPA server side?
## Is this even reasonable to consider doing?

[dagdig...@example.com@ansible-testhost-01 
<mailto:dagdig...@dnli.com@ansible-testhost-01> ~]$ id

uid=1087803012(dagdig...@example.com <mailto:dagdig...@dnli.com>) 
gid=1087803012(dagdig...@example.com <mailto:dagdig...@dnli.com>) 
groups=1087803012(dagdig...@example.com 
<mailto:dagdig...@dnli.com>),692600000(adm...@ipa.example.com 
<mailto:adm...@ipa.dnli.com>),692600010(example_admins_po...@exaple.com 
<mailto:denali_admins_po...@dnli.com>),1087800513(domain 
us...@example.com 
<mailto:us...@dnli.com>),1087803220(consulta...@example.com 
<mailto:consulta...@dnli.com>)
[dagdig...@example.com@ansible-testhost-01 
<mailto:dagdig...@dnli.com@ansible-testhost-01> ~]$




Thanks!

Regards
Chris



_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org