On Wed, Jan 21, 2015 at 06:59:11PM +0100, Davor Vusir wrote: > 2015-01-21 13:26 GMT+01:00 Longina Przybyszewska <[email protected]>: > > Hi, > > > > Is it possible to configure SSSD to make possible to login with short > > names across trusty domains? > > > > The sAMAccount name attribute in AD are unique, and all users have Posix > > attributes assigned so there is no risk for name mismatch between different > > domains. > > > > > > > > I use ad provider and all default setting for AD backend(gc_search_enable) > > ; > > > > > > > > If use_fully_qualified_names = False only users from client machines native > > domain can login with shortnames; Users from other domains are “unknown”. > > > > > > > > I can successfully make ldapsearch to Global Catalog in top domain for > > login names=shortname for users from different domains: > > > > > > > > ldapsearch -H ldap://ldap.c.example.com:3268 -Y GSSAPI -N -b > > "dc=c,dc=example,dc=org" "(&(objectClass=user)(sAMAccountName=user))" > > > > user = user-a from a.c.example.org > > > > user = user-b from b.c.example.org > > > > > > Maybe you should use the uPNSuffix from domain c.example.org for your > user accounts in domains a.c and a.b? Or add a valid one; > http://support2.microsoft.com/kb/243629. Is it possible to use that > uPNSuffix as default in SSSD?
Yes, since 1.12 Prior to that, you could use either the SSSD domain name as specified in the config file or the NetBIOS name (which was autodiscovered). _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
