On (23/01/15 14:33), Longina Przybyszewska wrote: > >> On (21/01/15 12:26), Longina Przybyszewska wrote: >> >Hi, >> >Is it possible to configure SSSD to make possible to login with short >> >names >> across trusty domains? >> >The sAMAccount name attribute in AD are unique, and all users have Posix >> attributes assigned so there is no risk for name mismatch between different >> domains. >> > >> >I use ad provider and all default setting for AD >> >backend(gc_search_enable) ; >> > >> >If use_fully_qualified_names = False only users from client machines native >> domain can login with shortnames; Users from other domains are >> "unknown". >> > >> >I can successfully make ldapsearch to Global Catalog in top domain for >> >login >> names=shortname for users from different domains: >> > >> >ldapsearch -H ldap://ldap.c.example.com:3268 -Y GSSAPI -N -b >> "dc=c,dc=example,dc=org" >> "(&(objectClass=user)(sAMAccountName=user))" >> >user = user-a from a.c.example.org >> >user = user-b from b.c.example.org >> > >> If there aren't the same user names(overlapping IDs) in different AD >> domains then it could be possible to configure separate domains in sssd.conf. >> >> Each domain should have disabled fqdn. >> use_fully_qualified_names = false >> >> If you plan to use id_provider = ad then you should also disable subdomain >> provider to avoin conflicts with other sssd domains. >> subdomains_provider = none >> >> I didn't test such setup. It needn't work but it worth to try it. > >It seems to work! Thanks! >I commented out default_domain_suffix. > >Yes, we have unique Posix uidNumbers in the whole AD forest. Could you share sanitized sssd.conf?
Just in case someone else would like to solve the same problem. LS _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
