On Wed, Jan 21, 2015 at 08:46:50AM -0500, Dmitri Pal wrote: > On 01/21/2015 08:07 AM, Longina Przybyszewska wrote: > >>-----Original Message----- > >>From: [email protected] [mailto:sssd-users- > >>[email protected]] On Behalf Of Jakub Hrozek > >>Sent: 21. januar 2015 13:49 > >>To: [email protected] > >>Subject: Re: [SSSD-users] login with shortname in AD cross realm > >> > >>On Wed, Jan 21, 2015 at 12:26:33PM +0000, Longina Przybyszewska wrote: > >>>Hi, > >>>Is it possible to configure SSSD to make possible to login with short > >>>names > >>across trusty domains? > >>>The sAMAccount name attribute in AD are unique, and all users have Posix > >>attributes assigned so there is no risk for name mismatch between different > >>domains. > >>>I use ad provider and all default setting for AD > >>>backend(gc_search_enable) ; > >>> > >>>If use_fully_qualified_names = False only users from client machines native > >>domain can login with shortnames; Users from other domains are > >>"unknown". > >>>I can successfully make ldapsearch to Global Catalog in top domain for > >>>login > >>names=shortname for users from different domains: > >>>ldapsearch -H ldap://ldap.c.example.com:3268 -Y GSSAPI -N -b > >>"dc=c,dc=example,dc=org" > >>"(&(objectClass=user)(sAMAccountName=user))" > >>>user = user-a from a.c.example.org > >>>user = user-b from b.c.example.org > >>> > >>>best, > >>>Longina > >>> > >>Only using the default_domain_suffix option, but then you need to qualify > >>the primary domain IIRC.. > >You mean,, I have to have on all machines default-domain_suffix = > >c.example.org. > > > >I am not sure that I understand the "qualify the primary domain IIRC" del... > > > >If client machines and servers were in c.example.org natively, user left in > >subdomains -would it help? > > The primary domain will be the IPA domain. > So users in IPA domain would have to use full names.
Correct, except Longina doesn't use IPA, but the answer is correct, just s/IPA/AD/. _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
