Hi Steve, Referring to sssd.conf man page: default_domain_suffix (string) This string will be used as a default domain name for all names without a domain name component. The main use case is environments where the primary domain is intended for managing host policies and all users are located in a trusted domain. The option allows those users to log in just with their user name without giving a domain name as well.
Please note that if this option is set all users from the primary domain have to use their fully qualified name, e.g. [email protected], to log in When you have default_domain_suffix set all user queries based on username only will land there. Alternatively you will have to use a fully qualified user name (user@domain) to explicite point to the domain you want to query. Please take a look at another sssd.conf option which may be useful for your scenario: domain_resolution_order. Best regards, Pawel On Mon, Jul 19, 2021 at 2:34 PM Steve Traylen < [email protected]> wrote: > sssd-2.5.1-2.el8 > > With a files domain and an ldap domain in simplified form below then all > works well for me and passwd files are checked and win > before ldap entries. > > However as soon as `default_domain_suffix = mydomain.ch` is added then > all the password entries never match > since it is presumably looking up `<username>@mydomain.ch`. While I can > understand that this may make sense is there a way > forward to continue to look up in shadowutils domain by username only. > > I am unsure of default_domain_suffix only appends the suffix or actually > forces the lookup to only happen to the mydomain.ch ldap domain. > > ``` > [sssd] > domains = shadowutils, mydomain.ch > > [domain/shadowutils] > id_provider = files > > full_name_format = %1$s > > auth_provider = proxy > proxy_pam_target = sssd-shadowutils > > proxy_fast_alias = True > > [domain/mydomain.ch] > id_provider = ldap > full_name_format = %1$s > ``` > Many Thanks > > Steve Traylen. > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > -- Paweł Poławski Senior Software Engineer Red Hat <https://www.redhat.com/> [email protected] @RedHat <https://twitter.com/redhat> Red Hat <https://www.linkedin.com/company/red-hat> Red Hat <https://www.facebook.com/RedHatInc> <https://red.ht/sig>
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
