Hi, I have a IDM (v3.3) installed on a Redhat7. I have a IDM realm connected to an AD via trust relationship. In the IDM realm there are Redhat6 and Redhat5 clients.
My client ask to be able to connect to the Linux machine with their AD without entering their domain (just username). On Redhat 6 there is an option for sssd (default_domain_suffix=) Seems to be exactly what I need, but I have a problem. If I use this option, I can indeed login with my AD username with domain name, but I cannot login with my Linux IDM username anymore, even if I use my fully qualified username@realm. i.e. In the middle of the PAM authentication it seems to fails (when ssh to the machine with ssh <server> -l admin@<realm>, I get Write failed: Broken pipe). If needed I can send more logs. I reproduce the problem in a more simple environment: just a Linux realm, and default_domain_suffix set to a inexistant domain, and again I cannot ssh to my server with my fully qualified username@realm Here is my sssd.conf: [domain/idm1] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = idm1 id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = dc.idm1 chpass_provider = ipa ipa_server = dc.idm1 ipa_server_mode = True ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, pam, ssh config_file_version = 2 domains = idm1 default_domain_suffix=toto.com [nss] [pam] [sudo] [autofs] [ssh] [pac] Here is my krb5.conf: includedir /var/lib/sss/pubconf/krb5.include.d/ [logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = IDM1 dns_lookup_realm = false dns_lookup_kdc = true rdns = false ticket_lifetime = 24h forwardable = yes default_ccache_name = KEYRING:persistent:%{uid} ignore_acceptor_hostname = true [realms] IDM1 = { kdc = dc.idm1:88 master_kdc = dc.idm1:88 admin_server = dc.idm1:749 default_domain = idm1 pkinit_anchors = FILE:/etc/ipa/ca.crt } [domain_realm] .idm1 = IDM1 idm1 = IDM1 [dbmodules] IDM1 = { db_library = ipadb.so } is there something to add to make it working? Site note: also with Redhat5 which is configured following ipa-advise sssd-before-1.9, the default_domain_suffix is not understood with sssd<1.9. Is there a way to connect to force RHEL5 to let my windows user connect without entering their domain. I don’t know if there is a way to tune the compatibility tree return by the ldap server for example. Or should I try to compile sssd 1.9 for RHEL5? (but I guess this is easier said than done) or it doesn’t worth it? (incompatibility with kerberos, or with the RHEL5 kernel…) Regards, Nicolas Zin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project