This time with attachments ;-)
HI, Sorry for delay... In attachements sssd_nss.log and sssd_a.c.realm.log
Login with UPN (mail name) does not work here:
root@adm-lnx438:/tmp# getent passwd user1@realm user1@n.c.realm@a.c.realm:*:10002:30000000:XXXXX XXXXX:/home/user1:/bin/bash
my sssd.conf: [nss] debug_level = 9 filter_groups = root filter_users = root
[sssd] debug_level = 9
domains = a.c.realm config_file_version = 2 services = nss,pam,ssh
[pam] pam_verbosity = 3 debug_level = 9
[domain/a.c.realm] debug_level = 9
ad_domain = a.c.realm ad_site = SITE ad_hostname = adm-lnx438.a.c.realm
id_provider = ad access_provider = ad auth_provider = ad chpass_provider = ad
dyndns_update = true dyndns_update_ptr = false
krb5_realm = A.C.REALM krb5_use_fast = try krb5_lifetime = 10h krb5_renewable_lifetime = 7d krb5_renew_interval = 1h krb5_confd_path = /var/lib/sss/pubconf/krb5.include.d ###
use_fully_qualified_names = true ldap_id_mapping = false ldap_use_tokengroup = false ad_gpo_access_control = disabled
best, Longina
-----Oprindelig meddelelse----- Fra: Longina Przybyszewska [mailto:longina@sdu.dk] Sendt: 11. januar 2016 16:25 Til: End-user discussions about the System Security Services Daemon Emne: [SSSD-users] Re: localauth plugin and some other questions
-----Oprindelig meddelelse----- Fra: Sumit Bose [mailto:sbose@redhat.com] Sendt: 8. januar 2016 11:23 Til: End-user discussions about the System Security Services Daemon Emne: [SSSD-users] Re: localauth plugin and some other questions
On Wed, Jan 06, 2016 at 01:11:50PM +0000, Longina Przybyszewska wrote:
Thank you for the answers. There are still some issues:
I tried login with setup for UPN/sAMAccountName login- without
success.
Is login with cross realm's UPN or short sAMAccoutName supported
in
this
sssd version?
In database for default domain cache_a.c.realm.db user object has
following names (for 'use_fully_qualified_names = true' setup):
dn: name = user1@n.c.realm ... name: user1@n.c.realm nameAlias. user1@n.c.realm UserPrincipalName: user1@REALM canonicalUserPrincipalName: user1@N.C.REALM
The plain sAMAccoutName 'user1' will not work because use_fully_qualified_names = true. What should work is 'DOM\user1' where DOM is the NetBIOS domain name of n.c.realm domain. Additionally I would expect that user1@REALM should work.
Right. user1@n.c.realm and DOM\user1 login works.
Login as user1@REALM (and user1@realm) does not work.
hm, that's odd, can you send me the logs when trying to login with user1@REALM?
getent passwd user1@realm user1@n.c.realm@a.c.realm:*:10002:30000000::/home/user1:/bin/bash
'user1@n.c.realm@a.c.realm' looks odd, do you map the user name to an attribute other than sAMAccoutName?
I use " id_provider = ad" and do not map specifically user name to any attribute..
Attributes in AD: uid = user1 userPrincipalName = user1@realm sAMAccountName = user1
SSSD defaults: ldap_user_name = uid ldap_user_principal = krbPrincipalName
krb5_use_enterprise_principal = true
There is no krbPrincipalName attribute in user object in AD .
Sssd.conf:
[nss] debug_level = 9 filter_groups = root filter_users = root
[sssd] debug_level = 9
domains = a.c.realm config_file_version = 2 services = nss, pam,ssh
[pam] pam_verbosity = 3 debug_level = 9
[domain/a.c.realm] debug_level = 9
ldap_use_tokengroup = false dyndns_update = true dyndns_update_ptr = true
id_provider = ad access_provider = ad auth_provider = ad chpass_provider = ad
krb5_realm = A.C.REALM krb5_use_fast = try krb5_confd_path = /var/lib/sss/pubconf/krb5.include.d
ad_domain = a.c.realm ad_site = SITE ad_hostname = adm-lnx438.a.c.realm
use_fully_qualified_names = true ldap_id_mapping = false
The best would be able to login with sAMAccountName; The next best with upn, then with fqdn.
I tried without success the following setup for login with short names : [nss] subdomain_inherit = ldap_user_principal
[domain/a.c.realm] .. ldap_user_principal = sAMAccountName
this won't work because ldap_user_principal value is used as a Kerberos principal without further processing.
You might want to try the 'default_domain_suffix' option, see man sssd.conf for details.
Manual says, that 'default_domain_suffix' is usable if all users are located in trusted domain while computer's are in primary domain. With this option, users can login with short names. Our users are in several trusted domains; what should be the value of 'default_domain_suffix' ?
sssd-users@lists.fedorahosted.org