> On (21/01/15 12:26), Longina Przybyszewska wrote: > >Hi, > >Is it possible to configure SSSD to make possible to login with short names > across trusty domains? > >The sAMAccount name attribute in AD are unique, and all users have Posix > attributes assigned so there is no risk for name mismatch between different > domains. > > > >I use ad provider and all default setting for AD > >backend(gc_search_enable) ; > > > >If use_fully_qualified_names = False only users from client machines native > domain can login with shortnames; Users from other domains are > "unknown". > > > >I can successfully make ldapsearch to Global Catalog in top domain for login > names=shortname for users from different domains: > > > >ldapsearch -H ldap://ldap.c.example.com:3268 -Y GSSAPI -N -b > "dc=c,dc=example,dc=org" > "(&(objectClass=user)(sAMAccountName=user))" > >user = user-a from a.c.example.org > >user = user-b from b.c.example.org > > > If there aren't the same user names(overlapping IDs) in different AD > domains then it could be possible to configure separate domains in sssd.conf. > > Each domain should have disabled fqdn. > use_fully_qualified_names = false > > If you plan to use id_provider = ad then you should also disable subdomain > provider to avoin conflicts with other sssd domains. > subdomains_provider = none > > I didn't test such setup. It needn't work but it worth to try it.
It seems to work! Thanks! I commented out default_domain_suffix. Yes, we have unique Posix uidNumbers in the whole AD forest. Best longina > > LS > _______________________________________________ > sssd-users mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
