I answer to myself. (but my problem is not resolved) > ----- Mail original ----- > De: "Nicolas Zin" <nicolas....@savoirfairelinux.com> > À: freeipa-users@redhat.com > Envoyé: Jeudi 4 Décembre 2014 18:49:36 > Objet: [Freeipa-users] ad trust and default_domain_suffix > > Hi, > > I have a IDM (v3.3) installed on a Redhat7. > I have a IDM realm connected to an AD via trust relationship. > In the IDM realm there are Redhat6 and Redhat5 clients. > > > My client ask to be able to connect to the Linux machine with their AD > without entering their domain (just username). On Redhat 6 there is an option > for sssd (default_domain_suffix=) > Seems to be exactly what I need, but I have a problem. If I use this option, > I can indeed login with my AD username with domain name, but I cannot login > with my Linux IDM username anymore, even if I use my fully qualified > username@realm. i.e. In the middle of the PAM authentication it seems to > fails (when ssh to the machine with ssh <server> -l admin@<realm>, I get > Write failed: Broken pipe). If needed I can send more logs. > > I reproduce the problem in a more simple environment: just a Linux realm, and > default_domain_suffix set to a inexistant domain, and again I cannot ssh to > my server with my fully qualified username@realm
so when I try to do "ssh localhost -l admin@idm1" (idm is my domain name), in the /var/log/sssd/sssd_nss.log I find: ... (Wed Dec 3 22:44:43 2014) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [admin@idm1] (Wed Dec 3 22:44:43 2014) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [admin] from [idm1] (Wed Dec 3 22:44:43 2014) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [admin@idm1] (Wed Dec 3 22:44:43 2014) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [admin] from [idm1] (Wed Dec 3 22:44:43 2014) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [admin@idm1] (Wed Dec 3 22:44:43 2014) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [admin] from [idm1] (Wed Dec 3 22:44:43 2014) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [admin@idm1] (Wed Dec 3 22:44:43 2014) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [admin] from [idm1] (Wed Dec 3 22:44:43 2014) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [admin@idm1] (Wed Dec 3 22:44:43 2014) [sssd[nss]] [nss_cmd_getbynam_done] (0x0040): Invalid name received [admin] So it seems to be a problem with nss not able to find my user. Indeed, if I do a "getent passwd admin" it doesn't show anything, but if I do a "getent passwd admin@idm1" it works. I found a "workardound": getent passwd admin@idm1 >> /etc/passwd Now I can ssh to my server: ssh localhost -l admin@idm1 Is it a bug? is there a better "workaround"? Regards, -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project