All,
I have sssd set up and doing cross-domain AD authentication. I'm using the simple access provider and conferring login access per group. Occasionally per user.
I notice that if I do a basic 'realm permit <user>', that it adds this user to the wrong AD domain:
Example:
realm permit processehcprofiler
adds it to my JAPN.COMPANY.COM AD domain, not my local AD domain (AMER).
If I attempt to do to
realm permit -R AMER.COMPANY.COM processehcprofiler@AMER.COMPANY.COM
I get this error:
realm: Couldn't find a matching realm
Through various experimentation, I find that if I do this:
realm permit -R amer.company.com processehcprofiler@amer.company.com
that it works. As confirmed by 'sssctl user-checks processehcprofiler'
I notice my "domain" entries in /etc/sssd/sssd.conf file are all lower case:
domains = amer.company.com,apac.company.com,emea.company.com, japn.company.com ... [domain/amer.company.com] ad_domain = amer.company.com ... [domain/apac.company.com] ad_domain = apac.company.com ... [domain/emea.company.com] ad_domain = emea.company.com ... [domain/japn.company.com] ad_domain = japn.company.com ...
I'm used to Kerberos where domain names are uc and account names are lc. So to do:
realm permit -R AMER.COMPANY.COM processehcprofiler@AMER.COMPANY.COM
I have to re-write all the domain names in my sssd.conf file to uc?
Spike
BTW, yes -- that works. If I transform in sssd.conf every "[domain/xxx]" line:
[domain/{amer,emea,apac,japn}.company.com]
to upper case and restart sssd, I can then "realm permit" in upper case.
realm permit -R AMER.COMPANY.COM spike_white@COMPANY.COM
Curiously, in sssd.conf, it records the user in lower case:
simple_allow_users = processehcprofiler@amer.company.com, spike_white@amer.company.com
No problem with that for me; I'm really hitting against AD -- which is case-insensitive.
BTW, I checked -- I did my original realm join against AMER.COMPANY.COM (all upper-case).
Spike
On Sat, Apr 13, 2019 at 3:59 PM Spike White spikewhitetx@gmail.com wrote:
All,
I have sssd set up and doing cross-domain AD authentication. I'm using the simple access provider and conferring login access per group. Occasionally per user.
I notice that if I do a basic 'realm permit <user>', that it adds this user to the wrong AD domain:
Example:
realm permit processehcprofiler
adds it to my JAPN.COMPANY.COM AD domain, not my local AD domain (AMER).
If I attempt to do to
realm permit -R AMER.COMPANY.COM processehcprofiler@AMER.COMPANY.COM
I get this error:
realm: Couldn't find a matching realm
Through various experimentation, I find that if I do this:
realm permit -R amer.company.com processehcprofiler@amer.company.com
that it works. As confirmed by 'sssctl user-checks processehcprofiler'
I notice my "domain" entries in /etc/sssd/sssd.conf file are all lower case:
domains = amer.company.com,apac.company.com,emea.company.com, japn.company.com ... [domain/amer.company.com] ad_domain = amer.company.com ... [domain/apac.company.com] ad_domain = apac.company.com ... [domain/emea.company.com] ad_domain = emea.company.com ... [domain/japn.company.com] ad_domain = japn.company.com ...
I'm used to Kerberos where domain names are uc and account names are lc. So to do:
realm permit -R AMER.COMPANY.COM processehcprofiler@AMER.COMPANY.COM
I have to re-write all the domain names in my sssd.conf file to uc?
Spike
Hi,
thank you for reporting this behavior. realm is indeed a bit too picky about the case here. At least for AD the case should be ignored.
On Sun, Apr 14, 2019 at 09:44:56AM -0500, Spike White wrote:
BTW, yes -- that works. If I transform in sssd.conf every "[domain/xxx]" line:
[domain/{amer,emea,apac,japn}.company.com]
Am I correct that you not only changed the "[domain/xxx] lines but the "ad_domain" lines as well?
bye, Sumit
to upper case and restart sssd, I can then "realm permit" in upper case.
realm permit -R AMER.COMPANY.COM spike_white@COMPANY.COM
Curiously, in sssd.conf, it records the user in lower case:
simple_allow_users = processehcprofiler@amer.company.com,
spike_white@amer.company.com
No problem with that for me; I'm really hitting against AD -- which is case-insensitive.
BTW, I checked -- I did my original realm join against AMER.COMPANY.COM (all upper-case).
Spike
On Sat, Apr 13, 2019 at 3:59 PM Spike White spikewhitetx@gmail.com wrote:
All,
I have sssd set up and doing cross-domain AD authentication. I'm using the simple access provider and conferring login access per group. Occasionally per user.
I notice that if I do a basic 'realm permit <user>', that it adds this user to the wrong AD domain:
Example:
realm permit processehcprofiler
adds it to my JAPN.COMPANY.COM AD domain, not my local AD domain (AMER).
If I attempt to do to
realm permit -R AMER.COMPANY.COM processehcprofiler@AMER.COMPANY.COM
I get this error:
realm: Couldn't find a matching realm
Through various experimentation, I find that if I do this:
realm permit -R amer.company.com processehcprofiler@amer.company.com
that it works. As confirmed by 'sssctl user-checks processehcprofiler'
I notice my "domain" entries in /etc/sssd/sssd.conf file are all lower case:
domains = amer.company.com,apac.company.com,emea.company.com, japn.company.com ... [domain/amer.company.com] ad_domain = amer.company.com ... [domain/apac.company.com] ad_domain = apac.company.com ... [domain/emea.company.com] ad_domain = emea.company.com ... [domain/japn.company.com] ad_domain = japn.company.com ...
I'm used to Kerberos where domain names are uc and account names are lc. So to do:
realm permit -R AMER.COMPANY.COM processehcprofiler@AMER.COMPANY.COM
I have to re-write all the domain names in my sssd.conf file to uc?
Spike
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
Yes, correct. I converted "[domain/XXX]" lines and ad_domain lines to upper case. Example:
[domain/EMEA.COMPANY.COM] ... ad_domain = EMEA.COMPANY.COM krb5_realm = EMEA.COMPANY.COM
That allows me to do a 'realm permit' specifying upper case for my domain. For example
realm permit admspike_white@AMER.COMPANY.COM
Spike
On Mon, May 6, 2019 at 5:01 AM Sumit Bose sbose@redhat.com wrote:
Hi,
thank you for reporting this behavior. realm is indeed a bit too picky about the case here. At least for AD the case should be ignored.
On Sun, Apr 14, 2019 at 09:44:56AM -0500, Spike White wrote:
BTW, yes -- that works. If I transform in sssd.conf every "[domain/xxx]" line:
[domain/{amer,emea,apac,japn}.company.com]
Am I correct that you not only changed the "[domain/xxx] lines but the "ad_domain" lines as well?
bye, Sumit
to upper case and restart sssd, I can then "realm permit" in upper case.
realm permit -R AMER.COMPANY.COM spike_white@COMPANY.COM
Curiously, in sssd.conf, it records the user in lower case:
simple_allow_users = processehcprofiler@amer.company.com,
spike_white@amer.company.com
No problem with that for me; I'm really hitting against AD -- which is case-insensitive.
BTW, I checked -- I did my original realm join against AMER.COMPANY.COM (all upper-case).
Spike
On Sat, Apr 13, 2019 at 3:59 PM Spike White spikewhitetx@gmail.com
wrote:
All,
I have sssd set up and doing cross-domain AD authentication. I'm using the simple access provider and conferring login access per group. Occasionally per user.
I notice that if I do a basic 'realm permit <user>', that it adds this user to the wrong AD domain:
Example:
realm permit processehcprofiler
adds it to my JAPN.COMPANY.COM AD domain, not my local AD domain
(AMER).
If I attempt to do to
realm permit -R AMER.COMPANY.COM processehcprofiler@AMER.COMPANY.COM
I get this error:
realm: Couldn't find a matching realm
Through various experimentation, I find that if I do this:
realm permit -R amer.company.com processehcprofiler@amer.company.com
that it works. As confirmed by 'sssctl user-checks processehcprofiler'
I notice my "domain" entries in /etc/sssd/sssd.conf file are all lower case:
domains = amer.company.com,apac.company.com,emea.company.com, japn.company.com ... [domain/amer.company.com] ad_domain = amer.company.com ... [domain/apac.company.com] ad_domain = apac.company.com ... [domain/emea.company.com] ad_domain = emea.company.com ... [domain/japn.company.com] ad_domain = japn.company.com ...
I'm used to Kerberos where domain names are uc and account names are
lc.
So to do:
realm permit -R AMER.COMPANY.COM processehcprofiler@AMER.COMPANY.COM
I have to re-write all the domain names in my sssd.conf file to uc?
Spike
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
On Tue, May 07, 2019 at 06:24:01PM -0500, Spike White wrote:
Yes, correct. I converted "[domain/XXX]" lines and ad_domain lines to upper case. Example:
[domain/EMEA.COMPANY.COM] ... ad_domain = EMEA.COMPANY.COM krb5_realm = EMEA.COMPANY.COM
Thanks, this confirms my assumption. It should be sufficient to only change 'ad_domain' because this is the option realmd looks at first.
As said I'll try to make realm less strict here if AD is used.
bye, Sumit
That allows me to do a 'realm permit' specifying upper case for my domain. For example
realm permit admspike_white@AMER.COMPANY.COM
Spike
On Mon, May 6, 2019 at 5:01 AM Sumit Bose sbose@redhat.com wrote:
Hi,
thank you for reporting this behavior. realm is indeed a bit too picky about the case here. At least for AD the case should be ignored.
On Sun, Apr 14, 2019 at 09:44:56AM -0500, Spike White wrote:
BTW, yes -- that works. If I transform in sssd.conf every "[domain/xxx]" line:
[domain/{amer,emea,apac,japn}.company.com]
Am I correct that you not only changed the "[domain/xxx] lines but the "ad_domain" lines as well?
bye, Sumit
to upper case and restart sssd, I can then "realm permit" in upper case.
realm permit -R AMER.COMPANY.COM spike_white@COMPANY.COM
Curiously, in sssd.conf, it records the user in lower case:
simple_allow_users = processehcprofiler@amer.company.com,
spike_white@amer.company.com
No problem with that for me; I'm really hitting against AD -- which is case-insensitive.
BTW, I checked -- I did my original realm join against AMER.COMPANY.COM (all upper-case).
Spike
On Sat, Apr 13, 2019 at 3:59 PM Spike White spikewhitetx@gmail.com
wrote:
All,
I have sssd set up and doing cross-domain AD authentication. I'm using the simple access provider and conferring login access per group. Occasionally per user.
I notice that if I do a basic 'realm permit <user>', that it adds this user to the wrong AD domain:
Example:
realm permit processehcprofiler
adds it to my JAPN.COMPANY.COM AD domain, not my local AD domain
(AMER).
If I attempt to do to
realm permit -R AMER.COMPANY.COM processehcprofiler@AMER.COMPANY.COM
I get this error:
realm: Couldn't find a matching realm
Through various experimentation, I find that if I do this:
realm permit -R amer.company.com processehcprofiler@amer.company.com
that it works. As confirmed by 'sssctl user-checks processehcprofiler'
I notice my "domain" entries in /etc/sssd/sssd.conf file are all lower case:
domains = amer.company.com,apac.company.com,emea.company.com, japn.company.com ... [domain/amer.company.com] ad_domain = amer.company.com ... [domain/apac.company.com] ad_domain = apac.company.com ... [domain/emea.company.com] ad_domain = emea.company.com ... [domain/japn.company.com] ad_domain = japn.company.com ...
I'm used to Kerberos where domain names are uc and account names are
lc.
So to do:
realm permit -R AMER.COMPANY.COM processehcprofiler@AMER.COMPANY.COM
I have to re-write all the domain names in my sssd.conf file to uc?
Spike
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users@lists.fedorahosted.org