On Tue, Sep 06, 2016 at 01:02:34AM -0400, Jim Richard wrote: > So I have two-way trust setup and it seems to work. > > And as described here: > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-ssh.html > > SSSD allows user names in the format user@AD.DOMAIN, ad.domain\user and > AD\user > > That works just as described. > > I have two domains/realms - idm.placeiq.net and idm-ad.placeiq.net, the > second being the Active Directory domain. > > My desire is to have AD be the source for all user/authentication - the AD > users will use their creds to ssh in to all of the Centos hosts in the > idm.placeiq.net domain. > > The hosts that live in IDM are a combination of Centos 6.8 and 7.X hosts. > > How can I make it so a user does not have to: > > ssh 'IDM-AD\Administrator’@hostname or ssh > administra...@idm-ad.placeiq.net@hostname > > Instead when I say Administrator@hostname it auto-magically knows I mean "ssh > administra...@email@example.com > > I’ve tried modifiying krb5.conf as such but it seems like I’m missing a step. > > [libdefaults] > > #default_realm = IDM.PLACEIQ.NET > > default_realm = IDM-AD.PLACEIQ.NET > > > I think my clients use the localauth plugin but I’m not entirely sure. If so, > how can I configure its behavior?
Put: default_domain_suffix = AD.DOMAIN into the [sssd] section of your sssd.conf. This setting auto-qualifies any user or group queries unless you qualify them yourself (so you need to qualify any IPA user/group lookups..). -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project