BTW, yes -- that works. If I transform in sssd.conf every "[domain/xxx]" line:

    [domain/{amer,emea,apac,japn}.company.com]

to upper case and restart sssd,  I can then "realm permit" in upper case.

    realm permit -R AMER.COMPANY.COM spike_white@COMPANY.COM

Curiously, in sssd.conf, it records the user in lower case:

    simple_allow_users = processehcprofiler@amer.company.com, spike_white@amer.company.com

No problem with that for me;  I'm really hitting against AD -- which is case-insensitive.  

BTW, I checked -- I did my original realm join against AMER.COMPANY.COM  (all upper-case).

Spike


On Sat, Apr 13, 2019 at 3:59 PM Spike White <spikewhitetx@gmail.com> wrote:
All,

I have sssd set up and doing cross-domain AD authentication.  I'm using the simple access provider and conferring login access per group.  Occasionally per user.

I notice that if I do a basic 'realm permit <user>', that it adds this user to the wrong AD domain:

Example:

realm permit processehcprofiler

adds it to my JAPN.COMPANY.COM AD domain, not my local AD domain (AMER).

If I attempt to do to 


I get this error:

realm: Couldn't find a matching realm

Through various experimentation, I find that if I do this:


that it works.  As confirmed by 'sssctl user-checks processehcprofiler'

I notice my "domain" entries in /etc/sssd/sssd.conf file are all lower case:


I'm used to Kerberos where domain names are uc and account names are lc.  So to do:

I have to re-write all the domain names in my sssd.conf file to uc?

Spike