On Wed, Jan 21, 2015 at 12:26:33PM +0000, Longina Przybyszewska wrote: > Hi, > Is it possible to configure SSSD to make possible to login with short names > across trusty domains? > The sAMAccount name attribute in AD are unique, and all users have Posix > attributes assigned so there is no risk for name mismatch between different > domains. > > I use ad provider and all default setting for AD backend(gc_search_enable) ; > > If use_fully_qualified_names = False only users from client machines native > domain can login with shortnames; Users from other domains are "unknown". > > I can successfully make ldapsearch to Global Catalog in top domain for login > names=shortname for users from different domains: > > ldapsearch -H ldap://ldap.c.example.com:3268 -Y GSSAPI -N -b > "dc=c,dc=example,dc=org" "(&(objectClass=user)(sAMAccountName=user))" > user = user-a from a.c.example.org > user = user-b from b.c.example.org > > best, > Longina >
Only using the default_domain_suffix option, but then you need to qualify the primary domain IIRC.. _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
