On Wed, Jan 11, 2017 at 11:44:18AM -0500, Mike Smorul wrote:
> Hi,
> We're having an issue getting sssd to lookup non-qualified names across
> our forest. From the documentation it appears this should be supported via
> lookups done to the global catalog or failing that, queries against all
> discovered subdomains.
>
> *Setup:*
> - Two domains, site.com and b.site.com.
> - Host is joined to b.site.com., and is joined to the domain (net ads join)
> - Users that will login can be found in either b.site.com and site.com
> - usernames and uid's are unique within the forest
>
> *What works:*
> - login and lookup for accounts in b.site.com
> - login and lookup for site.com accounts when fully qualified ([email protected]
> )
>
> *Desired behavior:*
> - users from site.com can use their non-qualified usernames to connect to
> the host
I'm sorry, but /input/ shortnames towards trusted domains are not
supported out of the box until
https://fedorahosted.org/sssd/ticket/3001
is implemented.
>
> Current Config:
> [sssd]
> domains = b.site.com
> config_file_version = 2
> override_space = _
> services = nss,pam
>
> [domain/b.site.com]
> debug_level = 9
> ldap_group_nesting_level = 5
> id_provider = ad
> auth_provider = ad
> default_shell = /bin/bash
> ldap_id_mapping = false
> simple_allow_groups = [email protected]
> use_fully_qualified_names = false
> ad_enable_gc = true
>
> *Other notes:*
> - We attempted to use the setup described here
> https://lists.fedorahosted.org/pipermail/sssd-users/2015-February/002648.html,
> however clients attempt to authenticate to each domain and fail as they are
> only joined to b.site.com.
This should work as long as the ldap_sasl_authid is set properly for
both domains (I haven't tested that, though..but it should work..)
> - Made sure the following attributes were replicated to the global
> catalog: uidNumber,gidNumber,loginShell,unixHomeDirectory
> - logs show that an ldap query is only attempted against b.site.com for the
> non-qualified account.
> - logs show that the root domain, site.com is discovered along w/ its
> domain controllers.
> - version 1.13.4 (ubuntu 16.04)
>
> Any suggestions?
>
> Thanks,
> -Mike
> _______________________________________________
> sssd-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
