> >1)  IPA Client Login issue.
> >In IPA client, if Windows AD user want to login, It need to type full name
> >such as 'userA@win_ad.com'. How do I let Windows AD user logon only with
> >their username? That means only use 'userA' to logon IPA Client PC rather
> >than 'userA@win_ad.com' ?
> Not supported. There could be some obscure SSSD setting to allow one
> SSSD domain (as in /etc/sss/sssd.conf) be default but since trusted AD
> domains are represented as subdomains of a single IPA provider, full UPN is
> used to distinguish and discover which subdomain they belong to for
> performance reasons.

Actually you can use "default_domain_suffix" in the [sssd] section. But
then you need to fully-qualify the users from the IPA domain.

 default_domain_suffix (string)
  This string will be used as a default domain name for all names without a
  domain name component. The main use case is environments where the primary
  domain is intended for managing host policies and all users are located in a
  trusted domain. The option allows those users to log in just with their user
  name without giving a domain name as well.

  Please note that if this option is set all users from the primary domain have
  to use their fully qualified name, e.g. u...@domain.name, to log in.

  Default: not set

Freeipa-users mailing list

Reply via email to