Our IPA servers are in a one-way AD trust. Since all of our users are in AD, I take advantage of the SSSD settings on the clients to hide the @AD_REALM from their login names, and use AD_REALM as the default_realm. This works nicely.
Solaris clients, however, do not have the convenience of SSSD. I understand that the fully-qualified login names are required for systems using the compat feature so that the IPA servers know to lookup those users in AD. Still, I was wondering if there is anyway of doing something similar on Solaris to hide the domain part if it is the default. I had hoped that maybe an idview would do it, but seems unlikely.
Amos
FQDN's are not required for systems using the compat tree when using domain resolution order, but it's not clear if you have it on or not. With that said, I've never tried to drop the domain off users when using the compat tree and id views without domain resolution order enabled. In theory, an idview might help, but you would need to experiment with it by creating user overrides, overriding the names and such, seeing what it looks like in the compat tree when trying to do a query or performing a login; I no longer have the equipment to help test this. But it sounds like something you could easily test out.
Slightly unrelated, at my last job, we used the compat tree with domain resolution order turned on. We had some sudo issues at some point with domain resolution order turned on starting at SRU 11.4.20.4.0, that the only suitable workaround was to create an idview and just point the clients to it (without making any overrides). This may be of interest to you.
This is from my notes:
* Domain Resolution Order turned on * Compat tree enabled (this is the cn=compat,$SUFFIX part of the tree) * An idview was created with NO overrides (really, no overrides made) * ldapclient on solaris was pointed to the view
# Create a view... no id overrides required here % ipa idview-add solaris # On Solaris... # Take EXTREME care with the group and passwd base DN's, they need to point # to the view properly # This example uses kerberos to authenticate. % ldapclient manual -a authenticationMethod=self \ -a credentialLevel=sasl/GSSAPI \ -a defaultSearchBase=dc=ipa,dc=example,dc=com \ -a domainName=ipa.example.com \ -a defaultServerList="server1.angelsofclockwork.net server2.angelsofclockwork.net" \ -a followReferrals=true \ -a objectClassMap=shadow:shadowAccount=posixAccount \ -a objectClassMap=passwd:posixAccount=posixaccount \ -a objectClassMap=group:posixGroup=posixgroup \ -a serviceSearchDescriptor=group:cn=groups,cn=solaris,cn=views,cn=compat,dc=angelsofclockwork,dc=net \ -a serviceSearchDescriptor=passwd:cn=users,cn=solaris,cn=views,cn=compat,dc=angelsofclockwork,dc=net \ -a serviceSearchDescriptor=netgroup:cn=ng,cn=compat,dc=ipa,dc=example,dc=com \ -a serviceSearchDescriptor=ethers:cn=computers,cn=accounts,dc=ipa,dc=example,dc=com \ -a serviceSearchDescriptor=sudoers:ou=sudoers,dc=ipa,dc=example,dc=com \ -a bindTimeLimit=5 # Make sure you set your props... % /usr/sbin/svccfg -s name-service/switch setprop config/sudoer = astring: "files ldap" % /usr/sbin/svccfg -s name-service/switch setprop config/password = astring: "files ldap [NOTFOUND=return]" % /usr/sbin/svccfg -s name-service/switch setprop config/group = astring: "files ldap [NOTFOUND=return]"
% /usr/sbin/svcadm refresh svc:/system/name-service/switch % /usr/sbin/svcadm restart svc:/system/name-service/switch % /usr/sbin/svcadm restart ldap/client # Verify... % ldaplist -l passwd adusername . . . % id -a adusername . . .
freeipa-users@lists.fedorahosted.org