> >1) IPA Client Login issue.
> >In IPA client, if Windows AD user want to login, It need to type full name
> >such as 'userA@win_ad.com'. How do I let Windows AD user logon only with
> >their username? That means only use 'userA' to logon IPA Client PC rather
> >than 'userA@win_ad.com' ?
> Not supported. There could be some obscure SSSD setting to allow one
> SSSD domain (as in /etc/sss/sssd.conf) be default but since trusted AD
> domains are represented as subdomains of a single IPA provider, full UPN is
> used to distinguish and discover which subdomain they belong to for
> performance reasons.
Actually you can use "default_domain_suffix" in the [sssd] section. But
then you need to fully-qualify the users from the IPA domain.
This string will be used as a default domain name for all names without a
domain name component. The main use case is environments where the primary
domain is intended for managing host policies and all users are located in a
trusted domain. The option allows those users to log in just with their user
name without giving a domain name as well.
Please note that if this option is set all users from the primary domain have
to use their fully qualified name, e.g. u...@domain.name, to log in.
Default: not set
Freeipa-users mailing list