On Tue, Sep 06, 2016 at 01:02:34AM -0400, Jim Richard wrote:
> So I have two-way trust setup and it seems to work.
>
> And as described here:
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-ssh.html
>
> SSSD allows user names in the format [email protected], ad.domain\user and
> AD\user
>
> That works just as described.
>
> I have two domains/realms - idm.placeiq.net and idm-ad.placeiq.net, the
> second being the Active Directory domain.
>
> My desire is to have AD be the source for all user/authentication - the AD
> users will use their creds to ssh in to all of the Centos hosts in the
> idm.placeiq.net domain.
>
> The hosts that live in IDM are a combination of Centos 6.8 and 7.X hosts.
>
> How can I make it so a user does not have to:
>
> ssh 'IDM-AD\Administrator’@hostname or ssh
> [email protected]@hostname
>
> Instead when I say Administrator@hostname it auto-magically knows I mean "ssh
> [email protected]@10.1.41.202
>
> I’ve tried modifiying krb5.conf as such but it seems like I’m missing a step.
>
> [libdefaults]
>
> #default_realm = IDM.PLACEIQ.NET
>
> default_realm = IDM-AD.PLACEIQ.NET
>
>
> I think my clients use the localauth plugin but I’m not entirely sure. If so,
> how can I configure its behavior?
Put:
default_domain_suffix = AD.DOMAIN
into the [sssd] section of your sssd.conf.
This setting auto-qualifies any user or group queries unless you qualify
them yourself (so you need to qualify any IPA user/group lookups..).
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
