Hi,
We are trying to configure our FreeIPA environment. We are using freeipa-client in both Ubuntu 18 and Ubuntu 16 servers. The FreeIPA server has one way trust to our AD. We have the domain name resolution order setup in the FreeIPA server. The AD users are able to ssh login to Ubuntu 18 fluently. But in Ubuntu 16, the AD user ssh login works only with domain name extension for AD users and fails with short name. Inside the Ubuntu 16 client, AD user lookup as well fails for short name, but works with domain name extension.
Is there any extra configuration needed in sssd.conf other than the default configuration generated by freeipa-client?
TIA
On Fri, May 22, 2020 at 04:07:08PM -0700, Suchismita Panda via FreeIPA-users wrote:
Hi,
We are trying to configure our FreeIPA environment. We are using freeipa-client in both Ubuntu 18 and Ubuntu 16 servers. The FreeIPA server has one way trust to our AD. We have the domain name resolution order setup in the FreeIPA server. The AD users are able to ssh login to Ubuntu 18 fluently. But in Ubuntu 16, the AD user ssh login works only with domain name extension for AD users and fails with short name. Inside the Ubuntu 16 client, AD user lookup as well fails for short name, but works with domain name extension.
Hi,
which SSSD version are you using on Ubuntu 16. It looks like it has sssd-1.13.4 by default which does not support the domain name resolution order feature.
bye, Sumit
Is there any extra configuration needed in sssd.conf other than the default configuration generated by freeipa-client?
TIA
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Thanks Sumit for the quick reply.
Yes it is using sssd 1.13.4.
*apt list --installed|grep sssdWARNING: apt does not have a stable CLI interface. Use with caution in scripts.sssd/xenial-updates,now 1.13.4-1ubuntu1.15 amd64 [installed,automatic]sssd-ad/xenial-updates,now 1.13.4-1ubuntu1.15 amd64 [installed,automatic]sssd-ad-common/xenial-updates,now 1.13.4-1ubuntu1.15 amd64 [installed,automatic]sssd-common/xenial-updates,now 1.13.4-1ubuntu1.15 amd64 [installed,automatic]sssd-ipa/xenial-updates,now 1.13.4-1ubuntu1.15 amd64 [installed,automatic]sssd-krb5/xenial-updates,now 1.13.4-1ubuntu1.15 amd64 [installed,automatic]sssd-krb5-common/xenial-updates,now 1.13.4-1ubuntu1.15 amd64 [installed,automatic]sssd-ldap/xenial-updates,now 1.13.4-1ubuntu1.15 amd64 [installed,automatic]sssd-proxy/xenial-updates,now 1.13.4-1ubuntu1.15 amd64 [installed,automatic]sssd-tools/xenial-updates,now 1.13.4-1ubuntu1.15 amd64 [installed]*
What additional configuration can we add to support name resolution order?
TIA
On Sun, May 24, 2020 at 10:44 PM Sumit Bose via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
On Fri, May 22, 2020 at 04:07:08PM -0700, Suchismita Panda via FreeIPA-users wrote:
Hi,
We are trying to configure our FreeIPA environment. We are using freeipa-client in both Ubuntu 18 and Ubuntu 16 servers. The FreeIPA
server
has one way trust to our AD. We have the domain name resolution order setup in the FreeIPA server. The AD users are able to ssh login to
Ubuntu
18 fluently. But in Ubuntu 16, the AD user ssh login works only with
domain
name extension for AD users and fails with short name. Inside the Ubuntu
16
client, AD user lookup as well fails for short name, but works with
domain
name extension.
Hi,
which SSSD version are you using on Ubuntu 16. It looks like it has sssd-1.13.4 by default which does not support the domain name resolution order feature.
bye, Sumit
Is there any extra configuration needed in sssd.conf other than the
default
configuration generated by freeipa-client?
TIA
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On Tue, May 26, 2020 at 09:49:23AM -0700, Suchismita Panda via FreeIPA-users wrote:
Thanks Sumit for the quick reply.
Yes it is using sssd 1.13.4.
Hi,
domain resolution order support is not available in this version.
There is the deprecated option 'default_domain_suffix', see man sssd.conf for details. If this is set to the AD domain users from this domain can use a short name. But only users from this domain, which means IPA users and groups must use the fully-qualified name.
Instead of using 'default_domain_suffix' I would recommend to try to find a newer version of SSSD for you platform which supports domain resolution order.
bye, Sumit
*apt list --installed|grep sssdWARNING: apt does not have a stable CLI interface. Use with caution in scripts.sssd/xenial-updates,now 1.13.4-1ubuntu1.15 amd64 [installed,automatic]sssd-ad/xenial-updates,now 1.13.4-1ubuntu1.15 amd64 [installed,automatic]sssd-ad-common/xenial-updates,now 1.13.4-1ubuntu1.15 amd64 [installed,automatic]sssd-common/xenial-updates,now 1.13.4-1ubuntu1.15 amd64 [installed,automatic]sssd-ipa/xenial-updates,now 1.13.4-1ubuntu1.15 amd64 [installed,automatic]sssd-krb5/xenial-updates,now 1.13.4-1ubuntu1.15 amd64 [installed,automatic]sssd-krb5-common/xenial-updates,now 1.13.4-1ubuntu1.15 amd64 [installed,automatic]sssd-ldap/xenial-updates,now 1.13.4-1ubuntu1.15 amd64 [installed,automatic]sssd-proxy/xenial-updates,now 1.13.4-1ubuntu1.15 amd64 [installed,automatic]sssd-tools/xenial-updates,now 1.13.4-1ubuntu1.15 amd64 [installed]*
What additional configuration can we add to support name resolution order?
TIA
On Sun, May 24, 2020 at 10:44 PM Sumit Bose via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
On Fri, May 22, 2020 at 04:07:08PM -0700, Suchismita Panda via FreeIPA-users wrote:
Hi,
We are trying to configure our FreeIPA environment. We are using freeipa-client in both Ubuntu 18 and Ubuntu 16 servers. The FreeIPA
server
has one way trust to our AD. We have the domain name resolution order setup in the FreeIPA server. The AD users are able to ssh login to
Ubuntu
18 fluently. But in Ubuntu 16, the AD user ssh login works only with
domain
name extension for AD users and fails with short name. Inside the Ubuntu
16
client, AD user lookup as well fails for short name, but works with
domain
name extension.
Hi,
which SSSD version are you using on Ubuntu 16. It looks like it has sssd-1.13.4 by default which does not support the domain name resolution order feature.
bye, Sumit
Is there any extra configuration needed in sssd.conf other than the
default
configuration generated by freeipa-client?
TIA
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org
-
Suchismita Panda -
Sumit Bose