On (21/01/15 12:26), Longina Przybyszewska wrote: >Hi, >Is it possible to configure SSSD to make possible to login with short names >across trusty domains? >The sAMAccount name attribute in AD are unique, and all users have Posix >attributes assigned so there is no risk for name mismatch between different >domains. > >I use ad provider and all default setting for AD backend(gc_search_enable) ; > >If use_fully_qualified_names = False only users from client machines native >domain can login with shortnames; Users from other domains are "unknown". > >I can successfully make ldapsearch to Global Catalog in top domain for login >names=shortname for users from different domains: > >ldapsearch -H ldap://ldap.c.example.com:3268 -Y GSSAPI -N -b >"dc=c,dc=example,dc=org" "(&(objectClass=user)(sAMAccountName=user))" >user = user-a from a.c.example.org >user = user-b from b.c.example.org > If there aren't the same user names(overlapping IDs) in different AD domains then it could be possible to configure separate domains in sssd.conf.
Each domain should have disabled fqdn. use_fully_qualified_names = false If you plan to use id_provider = ad then you should also disable subdomain provider to avoin conflicts with other sssd domains. subdomains_provider = none I didn't test such setup. It needn't work but it worth to try it. LS _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
