On Fri, 23 Jan 2015 15:50:52 +0100 Lukas Slebodnik <[email protected]> wrote:
> On (23/01/15 14:33), Longina Przybyszewska wrote: > > > >> On (21/01/15 12:26), Longina Przybyszewska wrote: > >> >Hi, > >> >Is it possible to configure SSSD to make possible to login with > >> >short names > >> across trusty domains? > >> >The sAMAccount name attribute in AD are unique, and all users > >> >have Posix > >> attributes assigned so there is no risk for name mismatch between > >> different domains. > >> > > >> >I use ad provider and all default setting for AD > >> >backend(gc_search_enable) ; > >> > > >> >If use_fully_qualified_names = False only users from client > >> >machines native > >> domain can login with shortnames; Users from other domains are > >> "unknown". > >> > > >> >I can successfully make ldapsearch to Global Catalog in top > >> >domain for login > >> names=shortname for users from different domains: > >> > > >> >ldapsearch -H ldap://ldap.c.example.com:3268 -Y GSSAPI -N -b > >> "dc=c,dc=example,dc=org" > >> "(&(objectClass=user)(sAMAccountName=user))" > >> >user = user-a from a.c.example.org > >> >user = user-b from b.c.example.org > >> > > >> If there aren't the same user names(overlapping IDs) in different > >> AD domains then it could be possible to configure separate domains > >> in sssd.conf. > >> > >> Each domain should have disabled fqdn. > >> use_fully_qualified_names = false > >> > >> If you plan to use id_provider = ad then you should also disable > >> subdomain provider to avoin conflicts with other sssd domains. > >> subdomains_provider = none > >> > >> I didn't test such setup. It needn't work but it worth to try it. > > > >It seems to work! Thanks! > >I commented out default_domain_suffix. > > > >Yes, we have unique Posix uidNumbers in the whole AD forest. > Could you share sanitized sssd.conf? > > Just in case someone else would like to solve the same problem. What happens to group memberships that span multiple domains this way ? Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
