Hi, We're having an issue getting sssd to lookup non-qualified names across our forest. From the documentation it appears this should be supported via lookups done to the global catalog or failing that, queries against all discovered subdomains.
*Setup:* - Two domains, site.com and b.site.com. - Host is joined to b.site.com., and is joined to the domain (net ads join) - Users that will login can be found in either b.site.com and site.com - usernames and uid's are unique within the forest *What works:* - login and lookup for accounts in b.site.com - login and lookup for site.com accounts when fully qualified ([email protected] ) *Desired behavior:* - users from site.com can use their non-qualified usernames to connect to the host Current Config: [sssd] domains = b.site.com config_file_version = 2 override_space = _ services = nss,pam [domain/b.site.com] debug_level = 9 ldap_group_nesting_level = 5 id_provider = ad auth_provider = ad default_shell = /bin/bash ldap_id_mapping = false simple_allow_groups = [email protected] use_fully_qualified_names = false ad_enable_gc = true *Other notes:* - We attempted to use the setup described here https://lists.fedorahosted.org/pipermail/sssd-users/2015-February/002648.html, however clients attempt to authenticate to each domain and fail as they are only joined to b.site.com. - Made sure the following attributes were replicated to the global catalog: uidNumber,gidNumber,loginShell,unixHomeDirectory - logs show that an ldap query is only attempted against b.site.com for the non-qualified account. - logs show that the root domain, site.com is discovered along w/ its domain controllers. - version 1.13.4 (ubuntu 16.04) Any suggestions? Thanks, -Mike
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
