Hi, We're having an issue getting sssd to lookup non-qualified names across our forest. From the documentation it appears this should be supported via lookups done to the global catalog or failing that, queries against all discovered subdomains.
*Setup:* - Two domains, site.com and b.site.com. - Host is joined to b.site.com., and is joined to the domain (net ads join) - Users that will login can be found in either b.site.com and site.com - usernames and uid's are unique within the forest
*What works:* - login and lookup for accounts in b.site.com - login and lookup for site.com accounts when fully qualified (user@site.com )
*Desired behavior:* - users from site.com can use their non-qualified usernames to connect to the host
Current Config: [sssd] domains = b.site.com config_file_version = 2 override_space = _ services = nss,pam
[domain/b.site.com] debug_level = 9 ldap_group_nesting_level = 5 id_provider = ad auth_provider = ad default_shell = /bin/bash ldap_id_mapping = false simple_allow_groups = groupa@site.com use_fully_qualified_names = false ad_enable_gc = true
*Other notes:* - We attempted to use the setup described here https://lists.fedorahosted.org/pipermail/sssd-users/2015-February/002648.htm..., however clients attempt to authenticate to each domain and fail as they are only joined to b.site.com. - Made sure the following attributes were replicated to the global catalog: uidNumber,gidNumber,loginShell,unixHomeDirectory - logs show that an ldap query is only attempted against b.site.com for the non-qualified account. - logs show that the root domain, site.com is discovered along w/ its domain controllers. - version 1.13.4 (ubuntu 16.04)
Any suggestions?
Thanks, -Mike
On Wed, Jan 11, 2017 at 11:44:18AM -0500, Mike Smorul wrote:
Hi, We're having an issue getting sssd to lookup non-qualified names across our forest. From the documentation it appears this should be supported via lookups done to the global catalog or failing that, queries against all discovered subdomains.
*Setup:*
- Two domains, site.com and b.site.com.
- Host is joined to b.site.com., and is joined to the domain (net ads join)
- Users that will login can be found in either b.site.com and site.com
- usernames and uid's are unique within the forest
*What works:*
- login and lookup for accounts in b.site.com
- login and lookup for site.com accounts when fully qualified (user@site.com
)
*Desired behavior:*
- users from site.com can use their non-qualified usernames to connect to
the host
I'm sorry, but /input/ shortnames towards trusted domains are not supported out of the box until https://fedorahosted.org/sssd/ticket/3001 is implemented.
Current Config: [sssd] domains = b.site.com config_file_version = 2 override_space = _ services = nss,pam
[domain/b.site.com] debug_level = 9 ldap_group_nesting_level = 5 id_provider = ad auth_provider = ad default_shell = /bin/bash ldap_id_mapping = false simple_allow_groups = groupa@site.com use_fully_qualified_names = false ad_enable_gc = true
*Other notes:*
- We attempted to use the setup described here
https://lists.fedorahosted.org/pipermail/sssd-users/2015-February/002648.htm..., however clients attempt to authenticate to each domain and fail as they are only joined to b.site.com.
This should work as long as the ldap_sasl_authid is set properly for both domains (I haven't tested that, though..but it should work..)
- Made sure the following attributes were replicated to the global
catalog: uidNumber,gidNumber,loginShell,unixHomeDirectory
- logs show that an ldap query is only attempted against b.site.com for the
non-qualified account.
- logs show that the root domain, site.com is discovered along w/ its
domain controllers.
- version 1.13.4 (ubuntu 16.04)
Any suggestions?
Thanks, -Mike
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
*Other notes:*
- We attempted to use the setup described here
February/002648.html,
however clients attempt to authenticate to each domain and fail as they
are
only joined to b.site.com.
This should work as long as the ldap_sasl_authid is set properly for both domains (I haven't tested that, though..but it should work..)
Thanks, that appeared to do the trick, and was only necessary to add that for the remote domains.
sssd-users@lists.fedorahosted.org