Re: [Freeipa-users] Can an Active Directory domain be the default domain?
On Mon, Apr 13, 2015 at 01:02:18PM -0400, David Guertin wrote: Said that, you can set default domain in SSSD configuration on the legacy clients (RHEL 5) as then SSSD will ensure proper fully-qualified name will be sent towards compat tree and non-qualified name can be asked on the client (RHEL 5) side. I was able to do this on RHEL 6/sssd 1.11 with default_domain_suffix = middlebury.edu, and it works great. But that command does not work with RHEL 5/sssd 1.5. Is there a comparable sssd.conf setting for older sssd versions? I'm afraid there is not. The AD entries in the compat tree are fully qualified anyway and in the same tree as IPA users, there needs to be a way to distinguish them.. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Can an Active Directory domain be the default domain?
On Mon, Apr 13, 2015 at 10:23:08AM -0400, David Guertin wrote: In our newly-setup IPA environment, users can log in to RHEL clients with the username username@addomain. This works, but I've run into a problem with some RHEL 5 clients that are Apache servers -- the Apache UserDir mappings no longer work. Many of the users have web pages served from the public_html directory in their home directory. With our old NIS configuration, the URL is of the form http://hostname/~username. With the new IPA configuration, these URLs no longer work; the web pages are now found in http://hostname/~username@addomain. I can think of several ways to approach this problem, but my first thought is to have IPA recognize the AD domain as the default domain, so that our users could log in with username instead of username@addomain, and the existing URLs will work. Is this possible? I was looking at the auth_to_local setting in /etc/krb5.conf, but I couldn't figure out what to do with it. Thanks, David Guertin Have you seen the default_domain_suffix option in sssd.conf? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Can an Active Directory domain be the default domain?
On Mon, 13 Apr 2015, David Guertin wrote: In our newly-setup IPA environment, users can log in to RHEL clients with the username username@addomain. This works, but I've run into a problem with some RHEL 5 clients that are Apache servers -- the Apache UserDir mappings no longer work. Many of the users have web pages served from the public_html directory in their home directory. With our old NIS configuration, the URL is of the form http://hostname/~username. With the new IPA configuration, these URLs no longer work; the web pages are now found in http://hostname/~username@addomain. I can think of several ways to approach this problem, but my first thought is to have IPA recognize the AD domain as the default domain, so that our users could log in with username instead of username@addomain, and the existing URLs will work. Is this possible? I was looking at the auth_to_local setting in /etc/krb5.conf, but I couldn't figure out what to do with it. auth_to_local is for a different purpose. It is not possible to change SSSD to use default domain of AD forest root domain on IPA master because you'll break the compat tree and SSSD on IPA clients. Compat tree and extdom plugin are expecting to have normalized user names on IPA master. Additionally, compat tree is expecting normalized names to come from legacy clients, it is the only way we efficiently recognizing these requests to be done against AD users and not doing a search for every misnamed IPA user. Said that, you can set default domain in SSSD configuration on the legacy clients (RHEL 5) as then SSSD will ensure proper fully-qualified name will be sent towards compat tree and non-qualified name can be asked on the client (RHEL 5) side. However, this will only work in case you have a single AD domain in a forest. If you have more than one AD domain, you are out of luck. I'd suggest looking into mod_rewrite configuration to handle @addomain part in Apache configuration. -- / Alexander Bokovoy -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Can an Active Directory domain be the default domain?
Said that, you can set default domain in SSSD configuration on the legacy clients (RHEL 5) as then SSSD will ensure proper fully-qualified name will be sent towards compat tree and non-qualified name can be asked on the client (RHEL 5) side. I was able to do this on RHEL 6/sssd 1.11 with default_domain_suffix = middlebury.edu, and it works great. But that command does not work with RHEL 5/sssd 1.5. Is there a comparable sssd.conf setting for older sssd versions? David Guertin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project