BTW, yes -- that works. If I transform in sssd.conf every "[domain/xxx]" line:
[domain/{amer,emea,apac,japn}.company.com]
to upper case and restart sssd, I can then "realm permit" in upper case.
realm permit -R AMER.COMPANY.COM spike_white@COMPANY.COM
Curiously, in sssd.conf, it records the user in lower case:
simple_allow_users = processehcprofiler@amer.company.com, spike_white@amer.company.com
No problem with that for me; I'm really hitting against AD -- which is case-insensitive.
BTW, I checked -- I did my original realm join against AMER.COMPANY.COM (all upper-case).
Spike
On Sat, Apr 13, 2019 at 3:59 PM Spike White spikewhitetx@gmail.com wrote:
All,
I have sssd set up and doing cross-domain AD authentication. I'm using the simple access provider and conferring login access per group. Occasionally per user.
I notice that if I do a basic 'realm permit <user>', that it adds this user to the wrong AD domain:
Example:
realm permit processehcprofiler
adds it to my JAPN.COMPANY.COM AD domain, not my local AD domain (AMER).
If I attempt to do to
realm permit -R AMER.COMPANY.COM processehcprofiler@AMER.COMPANY.COM
I get this error:
realm: Couldn't find a matching realm
Through various experimentation, I find that if I do this:
realm permit -R amer.company.com processehcprofiler@amer.company.com
that it works. As confirmed by 'sssctl user-checks processehcprofiler'
I notice my "domain" entries in /etc/sssd/sssd.conf file are all lower case:
domains = amer.company.com,apac.company.com,emea.company.com, japn.company.com ... [domain/amer.company.com] ad_domain = amer.company.com ... [domain/apac.company.com] ad_domain = apac.company.com ... [domain/emea.company.com] ad_domain = emea.company.com ... [domain/japn.company.com] ad_domain = japn.company.com ...
I'm used to Kerberos where domain names are uc and account names are lc. So to do:
realm permit -R AMER.COMPANY.COM processehcprofiler@AMER.COMPANY.COM
I have to re-write all the domain names in my sssd.conf file to uc?
Spike