[Freeipa-users] Can an Active Directory domain be the default domain?
In our newly-setup IPA environment, users can log in to RHEL clients with the username username@addomain. This works, but I've run into a problem with some RHEL 5 clients that are Apache servers -- the Apache UserDir mappings no longer work. Many of the users have web pages served from the public_html directory in their home directory. With our old NIS configuration, the URL is of the form http://hostname/~username. With the new IPA configuration, these URLs no longer work; the web pages are now found in http://hostname/~username@addomain. I can think of several ways to approach this problem, but my first thought is to have IPA recognize the AD domain as the default domain, so that our users could log in with username instead of username@addomain, and the existing URLs will work. Is this possible? I was looking at the auth_to_local setting in /etc/krb5.conf, but I couldn't figure out what to do with it. Thanks, David Guertin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Can an Active Directory domain be the default domain?
Said that, you can set default domain in SSSD configuration on the legacy clients (RHEL 5) as then SSSD will ensure proper fully-qualified name will be sent towards compat tree and non-qualified name can be asked on the client (RHEL 5) side. I was able to do this on RHEL 6/sssd 1.11 with default_domain_suffix = middlebury.edu, and it works great. But that command does not work with RHEL 5/sssd 1.5. Is there a comparable sssd.conf setting for older sssd versions? David Guertin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] AD integration: Could not convert objectSID to a UNIX ID
On 03/17/2015 08:30 PM, Gould, Joshua wrote: It looks like the range for your AD domain defined in ³ipa idrange-find ‹all² needs to match whats in for your domain in /etc/sssd/sssd.conf. For your example. Under the [domain/CSNS.MIDDLEBURY.EDU] should have ldap_idmap_range_min = 182460 ldap_idmap_range_size = 200 Setting these two identically let me resolve AD ID¹s with the id command. Hopefully this works for you too. Bingo! Thank you! That was indeed the solution. I needed to set the ID range in both places, and now users can log in. David Guertin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project