2015-01-21 13:26 GMT+01:00 Longina Przybyszewska <[email protected]>: > Hi, > > Is it possible to configure SSSD to make possible to login with short > names across trusty domains? > > The sAMAccount name attribute in AD are unique, and all users have Posix > attributes assigned so there is no risk for name mismatch between different > domains. > > > > I use ad provider and all default setting for AD backend(gc_search_enable) > ; > > > > If use_fully_qualified_names = False only users from client machines native > domain can login with shortnames; Users from other domains are “unknown”. > > > > I can successfully make ldapsearch to Global Catalog in top domain for > login names=shortname for users from different domains: > > > > ldapsearch -H ldap://ldap.c.example.com:3268 -Y GSSAPI -N -b > "dc=c,dc=example,dc=org" "(&(objectClass=user)(sAMAccountName=user))" > > user = user-a from a.c.example.org > > user = user-b from b.c.example.org > >
Maybe you should use the uPNSuffix from domain c.example.org for your user accounts in domains a.c and a.b? Or add a valid one; http://support2.microsoft.com/kb/243629. Is it possible to use that uPNSuffix as default in SSSD? Regards Davor > > best, > > Longina > > > > > _______________________________________________ > sssd-users mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/sssd-users > _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
