[Freeipa-users] Using shortname on old sssd (rhel6)

Hello all! I'm migration our old LDAP infra to IPA 4.6.5 (rhel 7) with an external trust to Windows. Previously, all users were their shortname because we replicated AD users to LDAP. Most users reside in AD, but we have *nix-only users in LDAP. Everything seems fine for rhel7+ because sssd

[Freeipa-users] Re: Using shortname on old sssd (rhel6)

Hi John, Yes your previous setup is quite similar to what we have (and what we're migrating away from): an LDAP server in Unix with accounts from AD that are being synchronized. Unfortunately our userbase is in AD (we have around 4000 users) and our *nix userbase is also rather large (around

[Freeipa-users] Re: Using shortname on old sssd (rhel6)

Hi Louis, Yes, saw this in the archive and I understand the root cause, I just wanted to know how some people work around this. Currently I'm trying to build my own sssd 1.16 on rhel6 and see how far I can go. Thanks ___ FreeIPA-users mailing list --

[Freeipa-users] Can't resolve external users on clients, but I can on servers

Hi, I setup an IPA realm (under rhel7) with an trust relationship to a Windows domain. All users in AD have an idoverride to override uid and gid. Originally, everything was working like expected: servers could resolve IPA and external (trusted) users, I could create kerberos tickets, log-in via

[Freeipa-users] Re: Can't resolve external users on clients, but I can on servers

Hi Sumit, I've tried all options: use_fully_qualified_names = False on server and client, a matrix of true/false, same issue... Thanks for your help! ___ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email

[Freeipa-users] Re: Can't resolve external users on clients, but I can on servers

Sumit, Ok, so on the server and the client I've set the use_fully_qualified_names to True, restarted sssd and cleared the cache. On the client I did id aduser@ad.domain - logs are here: (Fri Oct 11 11:36:47 2019) [sssd[be[ipa.domain]]] [sbus_dispatch] (0x4000): dbus conn: 0x55ded6099250 (Fri

[Freeipa-users] Re: Legacy client in compat tree - multiple entries?

Hi Alexander, Indeed that did the trick: if I'm using the user@ipadomain I can now log in the server. Now the funny part: if I use an external domain (AD users), then I can use the shortname... Huh... Thanks! ___ FreeIPA-users mailing list --

[Freeipa-users] Legacy client in compat tree - multiple entries?

Hello IPA gurus, I have a legacy client (Solaris) that I want to migrate to a IPA (RHEL IPA 4.6.5). Currently, it's being served by an ODSEE server for ldap. So first I want to test if I can connect with a user in IPA, then I'll try with an external (AD client). But I have the following issue: