> -----Original Message----- > From: [email protected] [mailto:sssd-users- > [email protected]] On Behalf Of Jakub Hrozek > Sent: 21. januar 2015 13:49 > To: [email protected] > Subject: Re: [SSSD-users] login with shortname in AD cross realm > > On Wed, Jan 21, 2015 at 12:26:33PM +0000, Longina Przybyszewska wrote: > > Hi, > > Is it possible to configure SSSD to make possible to login with short > > names > across trusty domains? > > The sAMAccount name attribute in AD are unique, and all users have Posix > attributes assigned so there is no risk for name mismatch between different > domains. > > > > I use ad provider and all default setting for AD > > backend(gc_search_enable) ; > > > > If use_fully_qualified_names = False only users from client machines native > domain can login with shortnames; Users from other domains are > "unknown". > > > > I can successfully make ldapsearch to Global Catalog in top domain for > > login > names=shortname for users from different domains: > > > > ldapsearch -H ldap://ldap.c.example.com:3268 -Y GSSAPI -N -b > "dc=c,dc=example,dc=org" > "(&(objectClass=user)(sAMAccountName=user))" > > user = user-a from a.c.example.org > > user = user-b from b.c.example.org > > > > best, > > Longina > > > > Only using the default_domain_suffix option, but then you need to qualify > the primary domain IIRC..
You mean,, I have to have on all machines default-domain_suffix = c.example.org. I am not sure that I understand the "qualify the primary domain IIRC" del... If client machines and servers were in c.example.org natively, user left in subdomains -would it help? Best, longina > _______________________________________________ > sssd-users mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
