Hi all,
I have client machines bound to my FreeIPA domain correctly as best I can tell. I have noticed however that the "finger" command appears to not be matching on user's names anymore like it does with my older NIS clients. Finger appears to only work when passing it the actual username of a user, not their first or last names.
/etc/nsswitch.conf is configured properly for user matching on the client. What am I missing?
Thank you!
passwd: files sss shadow: files sss group: files sss #initgroups: files sss
#hosts: db files nisplus nis dns hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname
# Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc: nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files
bootparams: nisplus [NOTFOUND=return] files
ethers: files netmasks: files networks: files protocols: files rpc: files services: files sss
netgroup: nisplus sss
publickey: nisplus
automount: files nisplus sss aliases: files nisplus
sudoers: files sss
Russell Jones via FreeIPA-users wrote:
Hi all,
I have client machines bound to my FreeIPA domain correctly as best I can tell. I have noticed however that the "finger" command appears to not be matching on user's names anymore like it does with my older NIS clients. Finger appears to only work when passing it the actual username of a user, not their first or last names.
Sounds like a bug in sssd, I doubt they do much if any testing using finger.
It should be searching on real name by default. Per the man page:
-m Prevent matching of user names. User is usually a login name; how‐ ever, matching will also be done on the users' real names, unless the -m option is supplied. All name matching performed by finger is case insensitive.
I'd suggest you open an issue at https://pagure.io/SSSD/sssd/
rob
/etc/nsswitch.conf is configured properly for user matching on the client. What am I missing?
Thank you!
passwd: files sss shadow: files sss group: files sss #initgroups: files sss #hosts: db files nisplus nis dns hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc: nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files sss netgroup: nisplus sss publickey: nisplus automount: files nisplus sss aliases: files nisplus sudoers: files sss
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Thanks! I just found an answer, enumeration isn't enabled in SSSD by default. Turning this option on allows finger to match the extra fields properly.
https://access.redhat.com/solutions/730033
On Thu, Jan 30, 2020 at 12:20 PM Rob Crittenden rcritten@redhat.com wrote:
Russell Jones via FreeIPA-users wrote:
Hi all,
I have client machines bound to my FreeIPA domain correctly as best I can tell. I have noticed however that the "finger" command appears to not be matching on user's names anymore like it does with my older NIS clients. Finger appears to only work when passing it the actual username of a user, not their first or last names.
Sounds like a bug in sssd, I doubt they do much if any testing using finger.
It should be searching on real name by default. Per the man page:
-m Prevent matching of user names. User is usually a login name; how‐ ever, matching will also be done on the users' real names, unless the -m option is supplied. All name matching performed by finger is case insensitive.
I'd suggest you open an issue at https://pagure.io/SSSD/sssd/
rob
/etc/nsswitch.conf is configured properly for user matching on the client. What am I missing?
Thank you!
passwd: files sss shadow: files sss group: files sss #initgroups: files sss #hosts: db files nisplus nis dns hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname # Example - obey only what nisplus tells us... #services: nisplus [NOTFOUND=return] files #networks: nisplus [NOTFOUND=return] files #protocols: nisplus [NOTFOUND=return] files #rpc: nisplus [NOTFOUND=return] files #ethers: nisplus [NOTFOUND=return] files #netmasks: nisplus [NOTFOUND=return] files bootparams: nisplus [NOTFOUND=return] files ethers: files netmasks: files networks: files protocols: files rpc: files services: files sss netgroup: nisplus sss publickey: nisplus automount: files nisplus sss aliases: files nisplus sudoers: files sss
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to
freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Russell Jones wrote:
Thanks! I just found an answer, enumeration isn't enabled in SSSD by default. Turning this option on allows finger to match the extra fields properly.
Ok, I guess that makes sense. I wonder if it shouldn't be able to enumerate users it already has but then I suppose you could end up with inconsistent behavior.
Either way glad you have an answer, but know that enumeration is considered "heavy" so YMMV.
rob
On Thu, Jan 30, 2020 at 12:20 PM Rob Crittenden <rcritten@redhat.com mailto:rcritten@redhat.com> wrote:
Russell Jones via FreeIPA-users wrote: > Hi all, > > I have client machines bound to my FreeIPA domain correctly as best I > can tell. I have noticed however that the "finger" command appears to > not be matching on user's names anymore like it does with my older NIS > clients. Finger appears to only work when passing it the actual username > of a user, not their first or last names. Sounds like a bug in sssd, I doubt they do much if any testing using finger. It should be searching on real name by default. Per the man page: -m Prevent matching of user names. User is usually a login name; how‐ ever, matching will also be done on the users' real names, unless the -m option is supplied. All name matching performed by finger is case insensitive. I'd suggest you open an issue at https://pagure.io/SSSD/sssd/ rob > > /etc/nsswitch.conf is configured properly for user matching on the > client. What am I missing? > > Thank you! > > > passwd: files sss > shadow: files sss > group: files sss > #initgroups: files sss > > #hosts: db files nisplus nis dns > hosts: files mdns4_minimal [NOTFOUND=return] dns myhostname > > # Example - obey only what nisplus tells us... > #services: nisplus [NOTFOUND=return] files > #networks: nisplus [NOTFOUND=return] files > #protocols: nisplus [NOTFOUND=return] files > #rpc: nisplus [NOTFOUND=return] files > #ethers: nisplus [NOTFOUND=return] files > #netmasks: nisplus [NOTFOUND=return] files > > bootparams: nisplus [NOTFOUND=return] files > > ethers: files > netmasks: files > networks: files > protocols: files > rpc: files > services: files sss > > netgroup: nisplus sss > > publickey: nisplus > > automount: files nisplus sss > aliases: files nisplus > > sudoers: files sss > > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org> > To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org <mailto:freeipa-users-leave@lists.fedorahosted.org> > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >
freeipa-users@lists.fedorahosted.org