>> - Users can't login to a Linux box using just "username" (email@example.com >> is >> used) > > In the current version you can use the 'default_domain_suffix' option in > sssd.conf on the clients. In RHEL-7.4 we are looking into making this > limitation go away.
Thank you very much, Jakub. That is helpful information! Are you saying that there will basically be a domain search order or something for users that login without specifying a domain? Back to the community as a whole, regarding these other items: > - Since AD trust users don't show up in FreeIPA web UI users can't login > to manage their own SSH keys After doing some additional thinking/researching I realized that SSH keys become largely irrelevant because of GSSAPI (Dmitri Pal posed this question in this thread: https://www.redhat.com/archives/freeipa-users/2013-September/msg00290.html). > - User/group management in general becomes largely a command-line > operation (such as mapping groups so they can be used in HBAC and sudo rules) While this is a nice-to-have, it isn't a deal breaker. I have another question. Can additional authentication requirements (such as 2FA) be imposed on users from a trust via IPA? Thanks, j -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project