On 3/22/21 9:26 PM, Alfred Victor via FreeIPA-users wrote:
Hi Rob,
This is on a newly re-enrolled client (it runs force-join, previously it
joined with different arguments but the machine does not have any data
that itself persists between boots). I don't see the issue on a
previously enrolled client. I have verified this is causing the failure
with group related auth because if I edit the group names in
/etc/ssh/sshd_config to include @domain.com <http://domain.com>, I am
able to log on as my user via key. I am also concerned that this can
affect other processes and systems, as I'm not sure what has caused it
and it persists after each ipa setup (reboot of the machine). I did
notice the following enabled in IPA server->configuration:
MS-PAC
But I'm not sure if this has anything to do with the behavior.
Roger
Hi,
there are multiple settings that can affect the use of fully qualified
names [1]. At IPA level, is the domain resolution order set?
# ipa config-show | grep 'Domain resolution order'
The domain_resolution_order setting also exists in sssd.conf and is
affected by full_name_format. More details available in sssd.conf(5) man
page, but in short, if a domain resolution order is set, the output of
the id command will display fully qualified names.
HTH,
flo
[1]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/windows_integration_guide/index#short-names
On Mon, Mar 22, 2021 at 2:48 PM Rob Crittenden <[email protected]
<mailto:[email protected]>> wrote:
Alfred Victor via FreeIPA-users wrote:
> Hi FreeIPA,
>
> It seems like something has changed but I can't figure out quite what
> and a colleague is out sick. When I perform id lookup on a user,
> everything shows as [email protected]
<mailto:[email protected]> <mailto:[email protected]
<mailto:[email protected]>>
> format. Can anyone please advise what causes this (backend setting,
> setup command?)
>
> [test@testingipa ~]# id tester
>
> uid=3993([email protected] <mailto:[email protected]>
<mailto:[email protected] <mailto:[email protected]>>)
>
> I believe anecdotally this is causing some group based auth to fail.
> Here's setup command args:
>
> --enable-dns-updates \
>
> --ssh-trust-dns \
We need more context. This is universal across all clients/servers? On a
previously enrolled client? A newly enrolled client?
rob
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
