Yes, correct. I converted "[domain/XXX]" lines and ad_domain lines to upper case. Example:
[domain/EMEA.COMPANY.COM] ... ad_domain = EMEA.COMPANY.COM krb5_realm = EMEA.COMPANY.COM That allows me to do a 'realm permit' specifying upper case for my domain. For example realm permit [email protected] Spike On Mon, May 6, 2019 at 5:01 AM Sumit Bose <[email protected]> wrote: > Hi, > > thank you for reporting this behavior. realm is indeed a bit too picky > about the case here. At least for AD the case should be ignored. > > On Sun, Apr 14, 2019 at 09:44:56AM -0500, Spike White wrote: > > BTW, yes -- that works. If I transform in sssd.conf every "[domain/xxx]" > > line: > > > > [domain/{amer,emea,apac,japn}.company.com] > > Am I correct that you not only changed the "[domain/xxx] lines but the > "ad_domain" lines as well? > > bye, > Sumit > > > > > to upper case and restart sssd, I can then "realm permit" in upper case. > > > > realm permit -R AMER.COMPANY.COM [email protected] > > > > Curiously, in sssd.conf, it records the user in lower case: > > > > simple_allow_users = [email protected], > > [email protected] > > > > No problem with that for me; I'm really hitting against AD -- which is > > case-insensitive. > > > > BTW, I checked -- I did my original realm join against AMER.COMPANY.COM > > (all upper-case). > > > > Spike > > > > > > On Sat, Apr 13, 2019 at 3:59 PM Spike White <[email protected]> > wrote: > > > > > All, > > > > > > I have sssd set up and doing cross-domain AD authentication. I'm using > > > the simple access provider and conferring login access per group. > > > Occasionally per user. > > > > > > I notice that if I do a basic 'realm permit <user>', that it adds this > > > user to the wrong AD domain: > > > > > > Example: > > > > > > realm permit processehcprofiler > > > > > > adds it to my JAPN.COMPANY.COM AD domain, not my local AD domain > (AMER). > > > > > > If I attempt to do to > > > > > > realm permit -R AMER.COMPANY.COM [email protected] > > > > > > I get this error: > > > > > > realm: Couldn't find a matching realm > > > > > > Through various experimentation, I find that if I do this: > > > > > > realm permit -R amer.company.com [email protected] > > > > > > that it works. As confirmed by 'sssctl user-checks processehcprofiler' > > > > > > I notice my "domain" entries in /etc/sssd/sssd.conf file are all lower > > > case: > > > > > > domains = amer.company.com,apac.company.com,emea.company.com, > > > japn.company.com > > > ... > > > [domain/amer.company.com] > > > ad_domain = amer.company.com > > > ... > > > [domain/apac.company.com] > > > ad_domain = apac.company.com > > > ... > > > [domain/emea.company.com] > > > ad_domain = emea.company.com > > > ... > > > [domain/japn.company.com] > > > ad_domain = japn.company.com > > > ... > > > > > > I'm used to Kerberos where domain names are uc and account names are > lc. > > > So to do: > > > > > > realm permit -R AMER.COMPANY.COM [email protected] > > > > > > I have to re-write all the domain names in my sssd.conf file to uc? > > > > > > Spike > > > > > > _______________________________________________ > > sssd-users mailing list -- [email protected] > > To unsubscribe send an email to [email protected] > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] >
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
