Hi, Is it possible to configure SSSD to make possible to login with short names across trusty domains? The sAMAccount name attribute in AD are unique, and all users have Posix attributes assigned so there is no risk for name mismatch between different domains.
I use ad provider and all default setting for AD backend(gc_search_enable) ;
If use_fully_qualified_names = False only users from client machines native domain can login with shortnames; Users from other domains are "unknown".
I can successfully make ldapsearch to Global Catalog in top domain for login names=shortname for users from different domains:
ldapsearch -H ldap://ldap.c.example.com:3268 -Y GSSAPI -N -b "dc=c,dc=example,dc=org" "(&(objectClass=user)(sAMAccountName=user))" user = user-a from a.c.example.org user = user-b from b.c.example.org
best, Longina
On Wed, Jan 21, 2015 at 12:26:33PM +0000, Longina Przybyszewska wrote:
Hi, Is it possible to configure SSSD to make possible to login with short names across trusty domains? The sAMAccount name attribute in AD are unique, and all users have Posix attributes assigned so there is no risk for name mismatch between different domains.
I use ad provider and all default setting for AD backend(gc_search_enable) ;
If use_fully_qualified_names = False only users from client machines native domain can login with shortnames; Users from other domains are "unknown".
I can successfully make ldapsearch to Global Catalog in top domain for login names=shortname for users from different domains:
ldapsearch -H ldap://ldap.c.example.com:3268 -Y GSSAPI -N -b "dc=c,dc=example,dc=org" "(&(objectClass=user)(sAMAccountName=user))" user = user-a from a.c.example.org user = user-b from b.c.example.org
best, Longina
Only using the default_domain_suffix option, but then you need to qualify the primary domain IIRC..
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users- bounces@lists.fedorahosted.org] On Behalf Of Jakub Hrozek Sent: 21. januar 2015 13:49 To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] login with shortname in AD cross realm
On Wed, Jan 21, 2015 at 12:26:33PM +0000, Longina Przybyszewska wrote:
Hi, Is it possible to configure SSSD to make possible to login with short names
across trusty domains?
The sAMAccount name attribute in AD are unique, and all users have Posix
attributes assigned so there is no risk for name mismatch between different domains.
I use ad provider and all default setting for AD backend(gc_search_enable) ;
If use_fully_qualified_names = False only users from client machines native
domain can login with shortnames; Users from other domains are "unknown".
I can successfully make ldapsearch to Global Catalog in top domain for login
names=shortname for users from different domains:
ldapsearch -H ldap://ldap.c.example.com:3268 -Y GSSAPI -N -b
"dc=c,dc=example,dc=org" "(&(objectClass=user)(sAMAccountName=user))"
user = user-a from a.c.example.org user = user-b from b.c.example.org
best, Longina
Only using the default_domain_suffix option, but then you need to qualify the primary domain IIRC..
You mean,, I have to have on all machines default-domain_suffix = c.example.org.
I am not sure that I understand the "qualify the primary domain IIRC" del...
If client machines and servers were in c.example.org natively, user left in subdomains -would it help?
Best, longina
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On 01/21/2015 08:07 AM, Longina Przybyszewska wrote:
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users- bounces@lists.fedorahosted.org] On Behalf Of Jakub Hrozek Sent: 21. januar 2015 13:49 To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] login with shortname in AD cross realm
On Wed, Jan 21, 2015 at 12:26:33PM +0000, Longina Przybyszewska wrote:
Hi, Is it possible to configure SSSD to make possible to login with short names
across trusty domains?
The sAMAccount name attribute in AD are unique, and all users have Posix
attributes assigned so there is no risk for name mismatch between different domains.
I use ad provider and all default setting for AD backend(gc_search_enable) ;
If use_fully_qualified_names = False only users from client machines native
domain can login with shortnames; Users from other domains are "unknown".
I can successfully make ldapsearch to Global Catalog in top domain for login
names=shortname for users from different domains:
ldapsearch -H ldap://ldap.c.example.com:3268 -Y GSSAPI -N -b
"dc=c,dc=example,dc=org" "(&(objectClass=user)(sAMAccountName=user))"
user = user-a from a.c.example.org user = user-b from b.c.example.org
best, Longina
Only using the default_domain_suffix option, but then you need to qualify the primary domain IIRC..
You mean,, I have to have on all machines default-domain_suffix = c.example.org.
I am not sure that I understand the "qualify the primary domain IIRC" del...
If client machines and servers were in c.example.org natively, user left in subdomains -would it help?
The primary domain will be the IPA domain. So users in IPA domain would have to use full names.
Best, longina
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Wed, Jan 21, 2015 at 08:46:50AM -0500, Dmitri Pal wrote:
On 01/21/2015 08:07 AM, Longina Przybyszewska wrote:
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users- bounces@lists.fedorahosted.org] On Behalf Of Jakub Hrozek Sent: 21. januar 2015 13:49 To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] login with shortname in AD cross realm
On Wed, Jan 21, 2015 at 12:26:33PM +0000, Longina Przybyszewska wrote:
Hi, Is it possible to configure SSSD to make possible to login with short names
across trusty domains?
The sAMAccount name attribute in AD are unique, and all users have Posix
attributes assigned so there is no risk for name mismatch between different domains.
I use ad provider and all default setting for AD backend(gc_search_enable) ;
If use_fully_qualified_names = False only users from client machines native
domain can login with shortnames; Users from other domains are "unknown".
I can successfully make ldapsearch to Global Catalog in top domain for login
names=shortname for users from different domains:
ldapsearch -H ldap://ldap.c.example.com:3268 -Y GSSAPI -N -b
"dc=c,dc=example,dc=org" "(&(objectClass=user)(sAMAccountName=user))"
user = user-a from a.c.example.org user = user-b from b.c.example.org
best, Longina
Only using the default_domain_suffix option, but then you need to qualify the primary domain IIRC..
You mean,, I have to have on all machines default-domain_suffix = c.example.org.
I am not sure that I understand the "qualify the primary domain IIRC" del...
If client machines and servers were in c.example.org natively, user left in subdomains -would it help?
The primary domain will be the IPA domain. So users in IPA domain would have to use full names.
Correct, except Longina doesn't use IPA, but the answer is correct, just s/IPA/AD/.
On Wed, Jan 21, 2015 at 01:07:00PM +0000, Longina Przybyszewska wrote:
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users- bounces@lists.fedorahosted.org] On Behalf Of Jakub Hrozek Sent: 21. januar 2015 13:49 To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] login with shortname in AD cross realm
On Wed, Jan 21, 2015 at 12:26:33PM +0000, Longina Przybyszewska wrote:
Hi, Is it possible to configure SSSD to make possible to login with short names
across trusty domains?
The sAMAccount name attribute in AD are unique, and all users have Posix
attributes assigned so there is no risk for name mismatch between different domains.
I use ad provider and all default setting for AD backend(gc_search_enable) ;
If use_fully_qualified_names = False only users from client machines native
domain can login with shortnames; Users from other domains are "unknown".
I can successfully make ldapsearch to Global Catalog in top domain for login
names=shortname for users from different domains:
ldapsearch -H ldap://ldap.c.example.com:3268 -Y GSSAPI -N -b
"dc=c,dc=example,dc=org" "(&(objectClass=user)(sAMAccountName=user))"
user = user-a from a.c.example.org user = user-b from b.c.example.org
best, Longina
Only using the default_domain_suffix option, but then you need to qualify the primary domain IIRC..
You mean,, I have to have on all machines default-domain_suffix = c.example.org.
Yes.
I am not sure that I understand the "qualify the primary domain IIRC" del...
What I meant is if you had the main domain called example.com, subdomain called c.example.com and set the suffix to c.example.com, then retrieving users from the main domain would require appending the domain name: getent passwd administrator@example.com But subdomain users could be un-qualified getent passwd some_user_from_subdomain
Also, I wonder if using the fully qualified name, or the netbios name is really a problem? After all, that's how it's done in Windows..
If client machines and servers were in c.example.org natively, user left in subdomains -would it help?
Not sure I understand, but if all users are in subdomains, then using default_domain_suffix makes sense.
Mange hilsner Longina
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users- bounces@lists.fedorahosted.org] On Behalf Of Jakub Hrozek Sent: 21. januar 2015 21:08 To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] login with shortname in AD cross realm
On Wed, Jan 21, 2015 at 01:07:00PM +0000, Longina Przybyszewska wrote:
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users- bounces@lists.fedorahosted.org] On Behalf Of Jakub Hrozek Sent: 21. januar 2015 13:49 To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] login with shortname in AD cross realm
On Wed, Jan 21, 2015 at 12:26:33PM +0000, Longina Przybyszewska
wrote:
Hi, Is it possible to configure SSSD to make possible to login with short names
across trusty domains?
The sAMAccount name attribute in AD are unique, and all users have Posix
attributes assigned so there is no risk for name mismatch between different domains.
I use ad provider and all default setting for AD backend(gc_search_enable) ;
If use_fully_qualified_names = False only users from client machines native
domain can login with shortnames; Users from other domains are "unknown".
I can successfully make ldapsearch to Global Catalog in top domain for login
names=shortname for users from different domains:
ldapsearch -H ldap://ldap.c.example.com:3268 -Y GSSAPI -N -b
"dc=c,dc=example,dc=org" "(&(objectClass=user)(sAMAccountName=user))"
user = user-a from a.c.example.org user = user-b from b.c.example.org
best, Longina
Only using the default_domain_suffix option, but then you need to qualify the primary domain IIRC..
You mean,, I have to have on all machines default-domain_suffix =
c.example.org.
Yes.
I am not sure that I understand the "qualify the primary domain IIRC" del...
What I meant is if you had the main domain called example.com, subdomain called c.example.com and set the suffix to c.example.com, then retrieving users from the main domain would require appending the domain name: getent passwd administrator@example.com But subdomain users could be un-qualified getent passwd some_user_from_subdomain
Also, I wonder if using the fully qualified name, or the netbios name is really a problem? After all, that's how it's done in Windows..
If client machines and servers were in c.example.org natively, user left in
subdomains -would it help?
Not sure I understand, but if all users are in subdomains, then using default_domain_suffix makes sense.
Yes, all users are in subdomains, but there are also users in top domain c.example.org.
I traced NFS4 idmaping problem to ' nss_getpwname' call ; Idmapd on the NFS server can so far resolve only unqualified names local for its domain ;
I would like to be able to resolve 'nss_getpwname' call for userA (from A.C.EXAMPLE.ORG), and userB (from B.C.EXAMPLE.ORG) and for userC (from C.EXAMPLE.ORG) with their respectively unqualified names on the NFS server;
Setup could be more simple if server and client machines join C.EXAMPLE.ORG: Users from C.EXAMPLE.COM are in local domain; Users from subdomains can login unqualified via default_domain _suffix = c.example.org;
Best, longina
Only using the default_domain_suffix option, but then you need to
qualify the primary domain IIRC..
You mean,, I have to have on all machines default-domain_suffix = c.example.org.
Yes.
I am not sure that I understand the "qualify the primary domain IIRC"del...
What I meant is if you had the main domain called example.com, subdomain called c.example.com and set the suffix to c.example.com, then retrieving users from the main domain would require appending the domain name: getent passwd administrator@example.com But subdomain users couldbe un-qualified getent passwd some_user_from_subdomain
Also, I wonder if using the fully qualified name, or the netbios name is really a problem? After all, that's how it's done in Windows..
If client machines and servers were in c.example.org natively, user left in subdomains -would it help?
Not sure I understand, but if all users are in subdomains, then using default_domain_suffix makes sense.
Yes, all users are in subdomains, but there are also users in top domain c.example.org.
I traced NFS4 idmaping problem to ' nss_getpwname' call ; Idmapd on the NFS server can so far resolve only unqualified names local for its domain ;
I would like to be able to resolve 'nss_getpwname' call for
userA (from A.C.EXAMPLE.ORG), and
userB (from B.C.EXAMPLE.ORG) and
for userC (from C.EXAMPLE.ORG)
with their respectively unqualified names on the NFS server and nfs client machine;
Could lookup be more simple if server and client machines join C.EXAMPLE.ORG?
Best, Longina
2015-01-21 13:26 GMT+01:00 Longina Przybyszewska longina@sdu.dk:
Hi,
Is it possible to configure SSSD to make possible to login with short names across trusty domains?
The sAMAccount name attribute in AD are unique, and all users have Posix attributes assigned so there is no risk for name mismatch between different domains.
I use ad provider and all default setting for AD backend(gc_search_enable) ;
If use_fully_qualified_names = False only users from client machines native domain can login with shortnames; Users from other domains are “unknown”.
I can successfully make ldapsearch to Global Catalog in top domain for login names=shortname for users from different domains:
ldapsearch -H ldap://ldap.c.example.com:3268 -Y GSSAPI -N -b "dc=c,dc=example,dc=org" "(&(objectClass=user)(sAMAccountName=user))"
user = user-a from a.c.example.org
user = user-b from b.c.example.org
Maybe you should use the uPNSuffix from domain c.example.org for your user accounts in domains a.c and a.b? Or add a valid one; http://support2.microsoft.com/kb/243629. Is it possible to use that uPNSuffix as default in SSSD?
Regards Davor
best,
Longina
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Wed, Jan 21, 2015 at 06:59:11PM +0100, Davor Vusir wrote:
2015-01-21 13:26 GMT+01:00 Longina Przybyszewska longina@sdu.dk:
Hi,
Is it possible to configure SSSD to make possible to login with short names across trusty domains?
The sAMAccount name attribute in AD are unique, and all users have Posix attributes assigned so there is no risk for name mismatch between different domains.
I use ad provider and all default setting for AD backend(gc_search_enable) ;
If use_fully_qualified_names = False only users from client machines native domain can login with shortnames; Users from other domains are “unknown”.
I can successfully make ldapsearch to Global Catalog in top domain for login names=shortname for users from different domains:
ldapsearch -H ldap://ldap.c.example.com:3268 -Y GSSAPI -N -b "dc=c,dc=example,dc=org" "(&(objectClass=user)(sAMAccountName=user))"
user = user-a from a.c.example.org
user = user-b from b.c.example.org
Maybe you should use the uPNSuffix from domain c.example.org for your user accounts in domains a.c and a.b? Or add a valid one; http://support2.microsoft.com/kb/243629. Is it possible to use that uPNSuffix as default in SSSD?
Yes, since 1.12
Prior to that, you could use either the SSSD domain name as specified in the config file or the NetBIOS name (which was autodiscovered).
Maybe you should use the uPNSuffix from domain c.example.org for your user accounts in domains a.c and a.b? Or add a valid one; http://support2.microsoft.com/kb/243629. Is it possible to use that uPNSuffix as default in SSSD?
Yes, since 1.12
Prior to that, you could use either the SSSD domain name as specified in the config file or the NetBIOS name (which was autodiscovered).
I am limited to the version Ubuntu LTS offers - 1.11.7.
I added default_domain_suffix = c.example.org to [sssd] section of sssd.conf, but User 'longina' from nat.c.example.org can not login on machine joined to NAT.C.EXAMPLE.COM with short login 'longina'
I can search user object 'longina' in Global Catalog in c.example.org and nat.c.example.org
Attached log files(sss_pam, sss_nss): =============== /etc/sssd/sssd.conf ===============
[nss] debug_level = 9 filter_groups = root filter_users = root,lightdm,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd
[sssd] debug_level = 6 domains = nat.c.example.org default_domain_suffix = c.example.org config_file_version = 2 services = nss,pam
[pam] pam_verbosity = 3 debug_level = 9
[domain/nat.c.example.org] debug_level = 9 id_provider = ad access_provider = ad auth_provider = ad chpass_provider = ad ad_domain = nat.c.example.org krb5_realm = NAT.C.EXAMPLE.ORG #cache_credentials = True #krb5_store_password_if_offline = True default_shell = /bin/bash override_home_directory = /home/%u use_fully_qualified_names = False ldap_id_mapping = False fallback_homedir = /home-local/%u
==========================================0 sssd_pam.log =========== [sssd[pam]] [pam_cmd_authenticate] (0x0100): entering pam_cmd_authenticate [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'longina' matched without domain, user is longina [sssd[pam]] [sss_parse_name_for_domains] (0x0200): using default domain [c.example.org] [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE [sssd[pam]] [pam_print_data] (0x0100): domain: c.example.org [sssd[pam]] [pam_print_data] (0x0100): user: longina [sssd[pam]] [pam_print_data] (0x0100): service: lightdm [sssd[pam]] [pam_print_data] (0x0100): tty: :0 [sssd[pam]] [pam_print_data] (0x0100): ruser: not set [sssd[pam]] [pam_print_data] (0x0100): rhost: not set [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 [sssd[pam]] [pam_print_data] (0x0100): priv: 1 [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 1991 [sssd[pam]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/c.example.org/longina] [sssd[pam]] [sss_dp_issue_request] (0x0400): Issuing request for [0x40b150:3:longina@c.example.org] [sssd[pam]] [sss_dp_get_account_msg] (0x0400): Creating request for [c.example.org][3][1][name=longina] [sssd[pam]] [sbus_add_timeout] (0x2000): 0x13d5420 [sssd[pam]] [sss_dp_internal_get_send] (0x0400): Entering request [0x40b150:3:longina@c.example.org] [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x13d5420 [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 0x13d4600 [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching. [sssd[pam]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [longina@c.example.org] [sssd[pam]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x13d6830
[sssd[pam]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x13d83b0 [sssd[pam]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x13d6830
[sssd[pam]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x13d83b0
[sssd[pam]] [ldb] (0x4000): Running timer event 0x13d6830 "ltdb_callback"
[sssd[pam]] [ldb] (0x4000): Destroying timer event 0x13d83b0 "ltdb_timeout"
[sssd[pam]] [ldb] (0x4000): Ending timer event 0x13d6830 "ltdb_callback"
[sssd[pam]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/c.example.org/longina] to negative cache [sssd[pam]] [pam_check_user_search] (0x0040): No results for getpwnam call [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [10]. [sssd[pam]] [pam_reply] (0x0200): blen: 25 [sssd[pam]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x40b150:3:longina@c.example.org] [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x13d93d0][17] [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 0x13d0af0 [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching. [sssd[pam]] [sbus_message_handler] (0x4000): Received SBUS method [ping] [sssd[pam]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit [sssd[pam]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping] [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x13d93d0][17] [sssd[pam]] [client_recv] (0x0200): Client disconnected! [sssd[pam]] [client_destructor] (0x2000): Terminated client [0x13d93d0][17]
====================================
sssd_nss.log =====================================
[sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [longina] from [c.example.org] [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/c.example.org/longina] [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): User [longina] does not exist in [c.example.org]! (negative cache) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x1517e10][21] [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x1517e10][21] [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [longina]. [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'longina' matched without domain, user is longina [sssd[nss]] [sss_parse_name_for_domains] (0x0200): using default domain [c.example.org] [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [longina] from [c.example.org] [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/c.example.org/longina] [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): User [longina] does not exist in [c.example.org]! (negative cache) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x1517e10][21] [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x1517e10][21] [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [longina]. [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'longina' matched without domain, user is longina [sssd[nss]] [sss_parse_name_for_domains] (0x0200): using default domain [c.example.org] [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [longina] from [c.example.org] [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/c.example.org/longina] [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): User [longina] does not exist in [c.example.org]! (negative cache) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x1517e10][21] [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x1517e10][21] [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [longina]. [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'longina' matched without domain, user is longina [sssd[nss]] [sss_parse_name_for_domains] (0x0200): using default domain [c.example.org] [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [longina] from [c.example.org] [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/c.example.org/longina] [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): User [longina] does not exist in [c.example.org]! (negative cache) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x1517e10][21] [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x1517e10][21] [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [longina@nat.c.example.org]. [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'longina@nat.c.example.org' matched expression for domain 'nat.c.example.org', user is longina [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [longina] from [nat.c.example.org] [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/nat.c.example.org/longina] [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [longina@nat.c.example.org] [sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x151e6a0
[sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x1516d70
[sssd[nss]] [ldb] (0x4000): Running timer event 0x151e6a0 "ltdb_callback"
[sssd[nss]] [ldb] (0x4000): Destroying timer event 0x1516d70 "ltdb_timeout"
[sssd[nss]] [ldb] (0x4000): Ending timer event 0x151e6a0 "ltdb_callback"
[sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x417bf0:1:longina@nat.c.example.org] [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [nat.c.example.org][4097][1][name=longina] [sssd[nss]] [sbus_add_timeout] (0x2000): 0x15282b0 [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x417bf0:1:longina@nat.c.example.org] [sssd[nss]] [sbus_remove_timeout] (0x2000): 0x15282b0 [sssd[nss]] [sbus_dispatch] (0x4000): dbus conn: 0x1519600 [sssd[nss]] [sbus_dispatch] (0x4000): Dispatching. [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/nat.c.example.org/longina] [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [longina@nat.c.example.org] [sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x151d790
[sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x151d8c0
[sssd[nss]] [ldb] (0x4000): Running timer event 0x151d790 "ltdb_callback"
[sssd[nss]] [ldb] (0x4000): Destroying timer event 0x151d8c0 "ltdb_timeout"
[sssd[nss]] [ldb] (0x4000): Ending timer event 0x151d790 "ltdb_callback"
[sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [longina@nat.c.example.org] [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x417bf0:1:longina@nat.c.example.org] [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x1517e10][21] [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x1517e10][21] [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [longina@nat.c.example.org]. [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'longina@nat.c.example.org' matched expression for domain 'nat.c.: example.org', user is longina [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [longina] from [nat.c.example.org] [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/nat.c.example.org/longina] [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [longina@nat.c.example.org] [sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x1528190
[sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x1517960
[sssd[nss]] [ldb] (0x4000): Running timer event 0x1528190 "ltdb_callback"
[sssd[nss]] [ldb] (0x4000): Destroying timer event 0x1517960 "ltdb_timeout"
[sssd[nss]] [ldb] (0x4000): Ending timer event 0x1528190 "ltdb_callback"
[sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [longina@nat.c.example.org] [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x1517e10][21] [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x1517e10][21] [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x1517e10][21] [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [*other]. [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name '*other' matched without domain, user is *other [sssd[nss]] [sss_parse_name_for_domains] (0x0200): using default domain [c.example.org] [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [*other] from [c.example.org] [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/c.example.org/*other] [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [*other@c.example.org] [sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x1517960
[sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x151e6a0
[sssd[nss]] [ldb] (0x4000): Running timer event 0x1517960 "ltdb_callback"
[sssd[nss]] [ldb] (0x4000): Destroying timer event 0x151e6a0 "ltdb_timeout"
[sssd[nss]] [ldb] (0x4000): Ending timer event 0x1517960 "ltdb_callback"
[sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x417bf0:1:*other@c.example.org] [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [c.example.org][4097][1][name=*other] [sssd[nss]] [sbus_add_timeout] (0x2000): 0x151a400 [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x417bf0:1:*other@c.example.org] [sssd[nss]] [sbus_remove_timeout] (0x2000): 0x151a400 [sssd[nss]] [sbus_dispatch] (0x4000): dbus conn: 0x1519600 [sssd[nss]] [sbus_dispatch] (0x4000): Dispatching. [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/c.example.org/*other] [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [*other@c.example.org] [sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x1527b00 ... [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/c.example.org/*other] to negative cache [sssd[nss]] [nss_cmd_getpwnam_search] (0x0040): No results for getpwnam call
Best, longina
2015-01-23 11:26 GMT+01:00 Longina Przybyszewska longina@sdu.dk:
Maybe you should use the uPNSuffix from domain c.example.org for your user accounts in domains a.c and a.b? Or add a valid one; http://support2.microsoft.com/kb/243629. Is it possible to use that uPNSuffix as default in SSSD?
Yes, since 1.12
Prior to that, you could use either the SSSD domain name as specified in the config file or the NetBIOS name (which was autodiscovered).
I am limited to the version Ubuntu LTS offers - 1.11.7.
I added default_domain_suffix = c.example.org to [sssd] section of sssd.conf, but User 'longina' from nat.c.example.org can not login on machine joined to NAT.C.EXAMPLE.COM with short login 'longina'
Did you change the account longinas UPN suffix from @nat.c.example.org to @c.example.org?
I can search user object 'longina' in Global Catalog in c.example.org and nat.c.example.org
Attached log files(sss_pam, sss_nss):
/etc/sssd/sssd.conf
[nss] debug_level = 9 filter_groups = root filter_users = root,lightdm,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd
[sssd] debug_level = 6 domains = nat.c.example.org default_domain_suffix = c.example.org config_file_version = 2 services = nss,pam
[pam] pam_verbosity = 3 debug_level = 9
[domain/nat.c.example.org] debug_level = 9 id_provider = ad access_provider = ad auth_provider = ad chpass_provider = ad ad_domain = nat.c.example.org krb5_realm = NAT.C.EXAMPLE.ORG #cache_credentials = True #krb5_store_password_if_offline = True default_shell = /bin/bash override_home_directory = /home/%u use_fully_qualified_names = False ldap_id_mapping = False fallback_homedir = /home-local/%u
==========================================0 sssd_pam.log =========== [sssd[pam]] [pam_cmd_authenticate] (0x0100): entering pam_cmd_authenticate [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'longina' matched without domain, user is longina [sssd[pam]] [sss_parse_name_for_domains] (0x0200): using default domain [c.example.org] [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE [sssd[pam]] [pam_print_data] (0x0100): domain: c.example.org [sssd[pam]] [pam_print_data] (0x0100): user: longina [sssd[pam]] [pam_print_data] (0x0100): service: lightdm [sssd[pam]] [pam_print_data] (0x0100): tty: :0 [sssd[pam]] [pam_print_data] (0x0100): ruser: not set [sssd[pam]] [pam_print_data] (0x0100): rhost: not set [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 [sssd[pam]] [pam_print_data] (0x0100): priv: 1 [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 1991 [sssd[pam]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/c.example.org/longina] [sssd[pam]] [sss_dp_issue_request] (0x0400): Issuing request for [0x40b150:3:longina@c.example.org] [sssd[pam]] [sss_dp_get_account_msg] (0x0400): Creating request for [c.example.org][3][1][name=longina] [sssd[pam]] [sbus_add_timeout] (0x2000): 0x13d5420 [sssd[pam]] [sss_dp_internal_get_send] (0x0400): Entering request [0x40b150:3:longina@c.example.org] [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x13d5420 [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 0x13d4600 [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching. [sssd[pam]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success [sssd[pam]] [pam_check_user_search] (0x0100): Requesting info for [longina@c.example.org] [sssd[pam]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x13d6830
[sssd[pam]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x13d83b0 [sssd[pam]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x13d6830
[sssd[pam]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x13d83b0
[sssd[pam]] [ldb] (0x4000): Running timer event 0x13d6830 "ltdb_callback"
[sssd[pam]] [ldb] (0x4000): Destroying timer event 0x13d83b0 "ltdb_timeout"
[sssd[pam]] [ldb] (0x4000): Ending timer event 0x13d6830 "ltdb_callback"
[sssd[pam]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/c.example.org/longina] to negative cache [sssd[pam]] [pam_check_user_search] (0x0040): No results for getpwnam call [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [10]. [sssd[pam]] [pam_reply] (0x0200): blen: 25 [sssd[pam]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x40b150:3:longina@c.example.org] [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x13d93d0][17] [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 0x13d0af0 [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching. [sssd[pam]] [sbus_message_handler] (0x4000): Received SBUS method [ping] [sssd[pam]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit [sssd[pam]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping] [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x13d93d0][17] [sssd[pam]] [client_recv] (0x0200): Client disconnected! [sssd[pam]] [client_destructor] (0x2000): Terminated client [0x13d93d0][17]
====================================
sssd_nss.log
[sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [longina] from [c.example.org] [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/c.example.org/longina] [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): User [longina] does not exist in [c.example.org]! (negative cache) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x1517e10][21] [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x1517e10][21] [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [longina]. [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'longina' matched without domain, user is longina [sssd[nss]] [sss_parse_name_for_domains] (0x0200): using default domain [c.example.org] [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [longina] from [c.example.org] [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/c.example.org/longina] [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): User [longina] does not exist in [c.example.org]! (negative cache) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x1517e10][21] [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x1517e10][21] [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [longina]. [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'longina' matched without domain, user is longina [sssd[nss]] [sss_parse_name_for_domains] (0x0200): using default domain [c.example.org] [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [longina] from [c.example.org] [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/c.example.org/longina] [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): User [longina] does not exist in [c.example.org]! (negative cache) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x1517e10][21] [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x1517e10][21] [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [longina]. [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'longina' matched without domain, user is longina [sssd[nss]] [sss_parse_name_for_domains] (0x0200): using default domain [c.example.org] [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [longina] from [c.example.org] [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/c.example.org/longina] [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): User [longina] does not exist in [c.example.org]! (negative cache) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x1517e10][21] [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x1517e10][21] [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [longina@nat.c.example.org]. [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'longina@nat.c.example.org' matched expression for domain 'nat.c.example.org', user is longina [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [longina] from [nat.c.example.org] [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/nat.c.example.org/longina] [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [longina@nat.c.example.org] [sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x151e6a0
[sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x1516d70
[sssd[nss]] [ldb] (0x4000): Running timer event 0x151e6a0 "ltdb_callback"
[sssd[nss]] [ldb] (0x4000): Destroying timer event 0x1516d70 "ltdb_timeout"
[sssd[nss]] [ldb] (0x4000): Ending timer event 0x151e6a0 "ltdb_callback"
[sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x417bf0:1:longina@nat.c.example.org] [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [nat.c.example.org][4097][1][name=longina] [sssd[nss]] [sbus_add_timeout] (0x2000): 0x15282b0 [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x417bf0:1:longina@nat.c.example.org] [sssd[nss]] [sbus_remove_timeout] (0x2000): 0x15282b0 [sssd[nss]] [sbus_dispatch] (0x4000): dbus conn: 0x1519600 [sssd[nss]] [sbus_dispatch] (0x4000): Dispatching. [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/nat.c.example.org/longina] [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [longina@nat.c.example.org] [sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x151d790
[sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x151d8c0
[sssd[nss]] [ldb] (0x4000): Running timer event 0x151d790 "ltdb_callback"
[sssd[nss]] [ldb] (0x4000): Destroying timer event 0x151d8c0 "ltdb_timeout"
[sssd[nss]] [ldb] (0x4000): Ending timer event 0x151d790 "ltdb_callback"
[sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [longina@nat.c.example.org] [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x417bf0:1:longina@nat.c.example.org] [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x1517e10][21] [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x1517e10][21] [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [longina@nat.c.example.org]. [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'longina@nat.c.example.org' matched expression for domain 'nat.c.: example.org', user is longina [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [longina] from [nat.c.example.org] [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/nat.c.example.org/longina] [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [longina@nat.c.example.org] [sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x1528190
[sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x1517960
[sssd[nss]] [ldb] (0x4000): Running timer event 0x1528190 "ltdb_callback"
[sssd[nss]] [ldb] (0x4000): Destroying timer event 0x1517960 "ltdb_timeout"
[sssd[nss]] [ldb] (0x4000): Ending timer event 0x1528190 "ltdb_callback"
[sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [longina@nat.c.example.org] [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x1517e10][21] [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x1517e10][21] [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x1517e10][21] [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [*other]. [sssd[nss]] [sss_parse_name_for_domains] (0x0200): name '*other' matched without domain, user is *other [sssd[nss]] [sss_parse_name_for_domains] (0x0200): using default domain [c.example.org] [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [*other] from [c.example.org] [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/c.example.org/*other] [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [*other@c.example.org] [sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x1517960
[sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x151e6a0
[sssd[nss]] [ldb] (0x4000): Running timer event 0x1517960 "ltdb_callback"
[sssd[nss]] [ldb] (0x4000): Destroying timer event 0x151e6a0 "ltdb_timeout"
[sssd[nss]] [ldb] (0x4000): Ending timer event 0x1517960 "ltdb_callback"
[sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x417bf0:1:*other@c.example.org] [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [c.example.org][4097][1][name=*other] [sssd[nss]] [sbus_add_timeout] (0x2000): 0x151a400 [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x417bf0:1:*other@c.example.org] [sssd[nss]] [sbus_remove_timeout] (0x2000): 0x151a400 [sssd[nss]] [sbus_dispatch] (0x4000): dbus conn: 0x1519600 [sssd[nss]] [sbus_dispatch] (0x4000): Dispatching. [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider - DP error code: 0 errno: 0 error message: Success [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/c.example.org/*other] [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [*other@c.example.org] [sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x1527b00 ... [sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/c.example.org/*other] to negative cache [sssd[nss]] [nss_cmd_getpwnam_search] (0x0040): No results for getpwnam call
Best, longina _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
2015-01-23 11:26 GMT+01:00 Longina Przybyszewska longina@sdu.dk:
Maybe you should use the uPNSuffix from domain c.example.org for your user accounts in domains a.c and a.b? Or add a valid one; http://support2.microsoft.com/kb/243629. Is it possible to use that uPNSuffix as default in SSSD?
Yes, since 1.12
Prior to that, you could use either the SSSD domain name as specified in the config file or the NetBIOS name (which was autodiscovered).
I am limited to the version Ubuntu LTS offers - 1.11.7.
I added default_domain_suffix = c.example.org to [sssd] section of sssd.conf, but User 'longina' from nat.c.example.org can not login on
machine joined to NAT.C.EXAMPLE.COM with short login 'longina'
Did you change the account longinas UPN suffix from @nat.c.example.org to @c.example.org?
You mean, longina's attribute in AD object? No. I am afraid, that change is not possible; UPN is set up mostly to 'example.org' for all user accounts - it can differ from person to person, and there is reason for that.
Best, Longina
I can search user object 'longina' in Global Catalog in c.example.org and nat.c.example.org
Attached log files(sss_pam, sss_nss):
/etc/sssd/sssd.conf
[nss] debug_level = 9 filter_groups = root filter_users =
root,lightdm,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news
,mailman,nscd
[sssd] debug_level = 6 domains = nat.c.example.org default_domain_suffix = c.example.org config_file_version = 2 services = nss,pam
[pam] pam_verbosity = 3 debug_level = 9
[domain/nat.c.example.org] debug_level = 9 id_provider = ad access_provider = ad auth_provider = ad chpass_provider = ad ad_domain = nat.c.example.org krb5_realm = NAT.C.EXAMPLE.ORG #cache_credentials = True #krb5_store_password_if_offline = True default_shell = /bin/bash override_home_directory = /home/%u use_fully_qualified_names = False ldap_id_mapping = False fallback_homedir = /home-local/%u
==========================================0 sssd_pam.log =========== [sssd[pam]] [pam_cmd_authenticate] (0x0100): entering pam_cmd_authenticate [sssd[pam]] [sss_parse_name_for_domains] (0x0200): name 'longina' matched without domain, user is longina [sssd[pam]] [sss_parse_name_for_domains] (0x0200): using default domain [c.example.org] [sssd[pam]] [pam_print_data] (0x0100): command: PAM_AUTHENTICATE [sssd[pam]] [pam_print_data] (0x0100): domain: c.example.org [sssd[pam]] [pam_print_data] (0x0100): user: longina [sssd[pam]] [pam_print_data] (0x0100): service: lightdm [sssd[pam]] [pam_print_data] (0x0100): tty: :0 [sssd[pam]] [pam_print_data] (0x0100): ruser: not set [sssd[pam]] [pam_print_data] (0x0100): rhost: not set [sssd[pam]] [pam_print_data] (0x0100): authtok type: 1 [sssd[pam]] [pam_print_data] (0x0100): newauthtok type: 0 [sssd[pam]] [pam_print_data] (0x0100): priv: 1 [sssd[pam]] [pam_print_data] (0x0100): cli_pid: 1991 [sssd[pam]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/c.example.org/longina] [sssd[pam]] [sss_dp_issue_request] (0x0400): Issuing request for [0x40b150:3:longina@c.example.org] [sssd[pam]] [sss_dp_get_account_msg] (0x0400): Creating request for [c.example.org][3][1][name=longina] [sssd[pam]] [sbus_add_timeout] (0x2000): 0x13d5420 [sssd[pam]] [sss_dp_internal_get_send] (0x0400): Entering request [0x40b150:3:longina@c.example.org] [sssd[pam]] [sbus_remove_timeout] (0x2000): 0x13d5420 [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 0x13d4600 [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching. [sssd[pam]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider
- DP error code: 0 errno: 0 error message: Success [sssd[pam]]
[pam_check_user_search] (0x0100): Requesting info for [longina@c.example.org] [sssd[pam]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x13d6830
[sssd[pam]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x13d83b0 [sssd[pam]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x13d6830
[sssd[pam]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x13d83b0
[sssd[pam]] [ldb] (0x4000): Running timer event 0x13d6830 "ltdb_callback"
[sssd[pam]] [ldb] (0x4000): Destroying timer event 0x13d83b0
"ltdb_timeout"
[sssd[pam]] [ldb] (0x4000): Ending timer event 0x13d6830 "ltdb_callback"
[sssd[pam]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/c.example.org/longina] to negative cache [sssd[pam]] [pam_check_user_search] (0x0040): No results for getpwnam call
[sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [10].
[sssd[pam]] [pam_reply] (0x0200): blen: 25 [sssd[pam]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x40b150:3:longina@c.example.org] [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x13d93d0][17] [sssd[pam]] [sbus_dispatch] (0x4000): dbus conn: 0x13d0af0 [sssd[pam]] [sbus_dispatch] (0x4000): Dispatching. [sssd[pam]] [sbus_message_handler] (0x4000): Received SBUS method [ping] [sssd[pam]] [sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit [sssd[pam]] [sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping] [sssd[pam]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x13d93d0][17] [sssd[pam]] [client_recv]
(0x0200): Client disconnected!
[sssd[pam]] [client_destructor] (0x2000): Terminated client [0x13d93d0][17]
====================================
sssd_nss.log
[sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [longina] from [c.example.org] [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/c.example.org/longina] [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): User [longina] does not exist in [c.example.org]! (negative cache) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x1517e10][21]
[sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x1517e10][21] [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [longina].
[sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'longina' matched without domain, user is longina [sssd[nss]] [sss_parse_name_for_domains] (0x0200): using default domain [c.example.org] [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [longina] from [c.example.org] [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/c.example.org/longina] [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): User [longina] does not exist in
[c.example.org]! (negative cache) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x1517e10][21] [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x1517e10][21] [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [longina].
[sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'longina' matched without domain, user is longina [sssd[nss]] [sss_parse_name_for_domains] (0x0200): using default domain [c.example.org] [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [longina] from [c.example.org] [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/c.example.org/longina] [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): User [longina] does not exist in
[c.example.org]! (negative cache) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x1517e10][21] [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x1517e10][21] [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [longina].
[sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'longina' matched without domain, user is longina [sssd[nss]] [sss_parse_name_for_domains] (0x0200): using default domain [c.example.org] [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [longina] from [c.example.org] [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/c.example.org/longina] [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): User [longina] does not exist in
[c.example.org]! (negative cache) [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x1517e10][21] [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x1517e10][21] [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [longina@nat.c.example.org].
[sssd[nss]] [sss_parse_name_for_domains] (0x0200): name 'longina@nat.c.example.org' matched expression for domain 'nat.c.example.org', user is longina [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [longina] from [nat.c.example.org] [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/nat.c.example.org/longina] [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [longina@nat.c.example.org] [sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x151e6a0
[sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x1516d70
[sssd[nss]] [ldb] (0x4000): Running timer event 0x151e6a0 "ltdb_callback"
[sssd[nss]] [ldb] (0x4000): Destroying timer event 0x1516d70
"ltdb_timeout"
[sssd[nss]] [ldb] (0x4000): Ending timer event 0x151e6a0 "ltdb_callback"
[sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x417bf0:1:longina@nat.c.example.org] [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [nat.c.example.org][4097][1][name=longina] [sssd[nss]] [sbus_add_timeout] (0x2000): 0x15282b0 [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x417bf0:1:longina@nat.c.example.org] [sssd[nss]] [sbus_remove_timeout] (0x2000): 0x15282b0 [sssd[nss]] [sbus_dispatch] (0x4000): dbus conn: 0x1519600 [sssd[nss]] [sbus_dispatch] (0x4000): Dispatching. [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider
- DP error code: 0 errno: 0 error message: Success [sssd[nss]]
[sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/nat.c.example.org/longina] [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [longina@nat.c.example.org] [sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x151d790
[sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x151d8c0
[sssd[nss]] [ldb] (0x4000): Running timer event 0x151d790 "ltdb_callback"
[sssd[nss]] [ldb] (0x4000): Destroying timer event 0x151d8c0
"ltdb_timeout"
[sssd[nss]] [ldb] (0x4000): Ending timer event 0x151d790 "ltdb_callback"
[sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [longina@nat.c.example.org] [sssd[nss]] [sss_dp_req_destructor] (0x0400): Deleting request: [0x417bf0:1:longina@nat.c.example.org] [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x1517e10][21] [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x1517e10][21] [sssd[nss]] [nss_cmd_getbynam]
(0x0400): Running command [17] with input [longina@nat.c.example.org].
[sssd[nss]] [sss_parse_name_for_domains] (0x0200): name
'longina@nat.c.example.org' matched expression for domain 'nat.c.:
example.org', user is longina [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [longina] from [nat.c.example.org] [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/nat.c.example.org/longina] [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [longina@nat.c.example.org] [sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x1528190
[sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x1517960
[sssd[nss]] [ldb] (0x4000): Running timer event 0x1528190 "ltdb_callback"
[sssd[nss]] [ldb] (0x4000): Destroying timer event 0x1517960
"ltdb_timeout"
[sssd[nss]] [ldb] (0x4000): Ending timer event 0x1528190 "ltdb_callback"
[sssd[nss]] [check_cache] (0x0400): Cached entry is valid, returning.. [sssd[nss]] [nss_cmd_getpwnam_search] (0x0400): Returning info for user [longina@nat.c.example.org] [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x1517e10][21] [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set for client [0x1517e10][21] [sssd[nss]] [reset_idle_timer] (0x4000): Idle timer re-set
for client [0x1517e10][21] [sssd[nss]] [nss_cmd_getbynam] (0x0400): Running command [17] with input [*other].
[sssd[nss]] [sss_parse_name_for_domains] (0x0200): name '*other' matched without domain, user is *other [sssd[nss]] [sss_parse_name_for_domains] (0x0200): using default domain [c.example.org] [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [*other] from [c.example.org] [sssd[nss]] [sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/c.example.org/*other] [sssd[nss]]
[nss_cmd_getpwnam_search]
(0x0100): Requesting info for [*other@c.example.org] [sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_callback": 0x1517960
[sssd[nss]] [ldb] (0x4000): Added timed event "ltdb_timeout": 0x151e6a0
[sssd[nss]] [ldb] (0x4000): Running timer event 0x1517960 "ltdb_callback"
[sssd[nss]] [ldb] (0x4000): Destroying timer event 0x151e6a0
"ltdb_timeout"
[sssd[nss]] [ldb] (0x4000): Ending timer event 0x1517960 "ltdb_callback"
[sssd[nss]] [sss_dp_issue_request] (0x0400): Issuing request for [0x417bf0:1:*other@c.example.org] [sssd[nss]] [sss_dp_get_account_msg] (0x0400): Creating request for [c.example.org][4097][1][name=*other] [sssd[nss]] [sbus_add_timeout] (0x2000): 0x151a400 [sssd[nss]] [sss_dp_internal_get_send] (0x0400): Entering request [0x417bf0:1:*other@c.example.org] [sssd[nss]] [sbus_remove_timeout] (0x2000): 0x151a400 [sssd[nss]] [sbus_dispatch] (0x4000): dbus conn: 0x1519600 [sssd[nss]] [sbus_dispatch] (0x4000): Dispatching. [sssd[nss]] [sss_dp_get_reply] (0x1000): Got reply from Data Provider
- DP error code: 0 errno: 0 error message: Success [sssd[nss]]
[sss_ncache_check_str] (0x2000): Checking negative cache for [NCE/USER/c.example.org/*other] [sssd[nss]]
[nss_cmd_getpwnam_search]
(0x0100): Requesting info for [*other@c.example.org] [sssd[nss]] [ldb]
(0x4000): Added timed event "ltdb_callback": 0x1527b00 ...
[sssd[nss]] [sss_ncache_set_str] (0x0400): Adding [NCE/USER/c.example.org/*other] to negative cache [sssd[nss]] [nss_cmd_getpwnam_search] (0x0040): No results for getpwnam call
Best, longina _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On (21/01/15 12:26), Longina Przybyszewska wrote:
Hi, Is it possible to configure SSSD to make possible to login with short names across trusty domains? The sAMAccount name attribute in AD are unique, and all users have Posix attributes assigned so there is no risk for name mismatch between different domains.
I use ad provider and all default setting for AD backend(gc_search_enable) ;
If use_fully_qualified_names = False only users from client machines native domain can login with shortnames; Users from other domains are "unknown".
I can successfully make ldapsearch to Global Catalog in top domain for login names=shortname for users from different domains:
ldapsearch -H ldap://ldap.c.example.com:3268 -Y GSSAPI -N -b "dc=c,dc=example,dc=org" "(&(objectClass=user)(sAMAccountName=user))" user = user-a from a.c.example.org user = user-b from b.c.example.org
If there aren't the same user names(overlapping IDs) in different AD domains then it could be possible to configure separate domains in sssd.conf.
Each domain should have disabled fqdn. use_fully_qualified_names = false
If you plan to use id_provider = ad then you should also disable subdomain provider to avoin conflicts with other sssd domains. subdomains_provider = none
I didn't test such setup. It needn't work but it worth to try it.
LS
On (21/01/15 12:26), Longina Przybyszewska wrote:
Hi, Is it possible to configure SSSD to make possible to login with short names
across trusty domains?
The sAMAccount name attribute in AD are unique, and all users have Posix
attributes assigned so there is no risk for name mismatch between different domains.
I use ad provider and all default setting for AD backend(gc_search_enable) ;
If use_fully_qualified_names = False only users from client machines native
domain can login with shortnames; Users from other domains are "unknown".
I can successfully make ldapsearch to Global Catalog in top domain for login
names=shortname for users from different domains:
ldapsearch -H ldap://ldap.c.example.com:3268 -Y GSSAPI -N -b
"dc=c,dc=example,dc=org" "(&(objectClass=user)(sAMAccountName=user))"
user = user-a from a.c.example.org user = user-b from b.c.example.org
If there aren't the same user names(overlapping IDs) in different AD domains then it could be possible to configure separate domains in sssd.conf.
Each domain should have disabled fqdn. use_fully_qualified_names = false
If you plan to use id_provider = ad then you should also disable subdomain provider to avoin conflicts with other sssd domains. subdomains_provider = none
I didn't test such setup. It needn't work but it worth to try it.
It seems to work! Thanks! I commented out default_domain_suffix.
Yes, we have unique Posix uidNumbers in the whole AD forest. Best longina
LS _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On (23/01/15 14:33), Longina Przybyszewska wrote:
On (21/01/15 12:26), Longina Przybyszewska wrote:
Hi, Is it possible to configure SSSD to make possible to login with short names
across trusty domains?
The sAMAccount name attribute in AD are unique, and all users have Posix
attributes assigned so there is no risk for name mismatch between different domains.
I use ad provider and all default setting for AD backend(gc_search_enable) ;
If use_fully_qualified_names = False only users from client machines native
domain can login with shortnames; Users from other domains are "unknown".
I can successfully make ldapsearch to Global Catalog in top domain for login
names=shortname for users from different domains:
ldapsearch -H ldap://ldap.c.example.com:3268 -Y GSSAPI -N -b
"dc=c,dc=example,dc=org" "(&(objectClass=user)(sAMAccountName=user))"
user = user-a from a.c.example.org user = user-b from b.c.example.org
If there aren't the same user names(overlapping IDs) in different AD domains then it could be possible to configure separate domains in sssd.conf.
Each domain should have disabled fqdn. use_fully_qualified_names = false
If you plan to use id_provider = ad then you should also disable subdomain provider to avoin conflicts with other sssd domains. subdomains_provider = none
I didn't test such setup. It needn't work but it worth to try it.
It seems to work! Thanks! I commented out default_domain_suffix.
Yes, we have unique Posix uidNumbers in the whole AD forest.
Could you share sanitized sssd.conf?
Just in case someone else would like to solve the same problem.
LS
On Fri, 23 Jan 2015 15:50:52 +0100 Lukas Slebodnik lslebodn@redhat.com wrote:
On (23/01/15 14:33), Longina Przybyszewska wrote:
On (21/01/15 12:26), Longina Przybyszewska wrote:
Hi, Is it possible to configure SSSD to make possible to login with short names
across trusty domains?
The sAMAccount name attribute in AD are unique, and all users have Posix
attributes assigned so there is no risk for name mismatch between different domains.
I use ad provider and all default setting for AD backend(gc_search_enable) ;
If use_fully_qualified_names = False only users from client machines native
domain can login with shortnames; Users from other domains are "unknown".
I can successfully make ldapsearch to Global Catalog in top domain for login
names=shortname for users from different domains:
ldapsearch -H ldap://ldap.c.example.com:3268 -Y GSSAPI -N -b
"dc=c,dc=example,dc=org" "(&(objectClass=user)(sAMAccountName=user))"
user = user-a from a.c.example.org user = user-b from b.c.example.org
If there aren't the same user names(overlapping IDs) in different AD domains then it could be possible to configure separate domains in sssd.conf.
Each domain should have disabled fqdn. use_fully_qualified_names = false
If you plan to use id_provider = ad then you should also disable subdomain provider to avoin conflicts with other sssd domains. subdomains_provider = none
I didn't test such setup. It needn't work but it worth to try it.
It seems to work! Thanks! I commented out default_domain_suffix.
Yes, we have unique Posix uidNumbers in the whole AD forest.
Could you share sanitized sssd.conf?
Just in case someone else would like to solve the same problem.
What happens to group memberships that span multiple domains this way ?
Simo.
On (23/01/15 14:33), Longina Przybyszewska wrote:
On (21/01/15 12:26), Longina Przybyszewska wrote:
Hi, Is it possible to configure SSSD to make possible to login with short names
across trusty domains?
The sAMAccount name attribute in AD are unique, and all users have Posix
attributes assigned so there is no risk for name mismatch between different domains.
I use ad provider and all default setting for AD backend(gc_search_enable) ;
If use_fully_qualified_names = False only users from client machines native
domain can login with shortnames; Users from other domains are "unknown".
I can successfully make ldapsearch to Global Catalog in top domain for login
names=shortname for users from different domains:
ldapsearch -H ldap://ldap.c.example.com:3268 -Y GSSAPI -N -b
"dc=c,dc=example,dc=org" "(&(objectClass=user)(sAMAccountName=user))"
user = user-a from a.c.example.org user = user-b from b.c.example.org
If there aren't the same user names(overlapping IDs) in different AD domains then it could be possible to configure separate domains in
sssd.conf.
Each domain should have disabled fqdn. use_fully_qualified_names = false
If you plan to use id_provider = ad then you should also disable subdomain provider to avoin conflicts with other sssd domains. subdomains_provider = none
I didn't test such setup. It needn't work but it worth to try it.
It seems to work! Thanks! I commented out default_domain_suffix.
Yes, we have unique Posix uidNumbers in the whole AD forest.
Could you share sanitized sssd.conf?
Just in case someone else would like to solve the same problem.
Sure. We are still testing - login, nfs-automounts seem to work with some replacements for group memberships. Works well for groups local for server-client domain;
Resources, also, servers and client machines are in the same domain a.c.example.org . Users are separated from resources - in different domains {b,d,e,f..}.c.example.org User's objects attribute, sAMAccountname and Posix attribute uidNumber are unique in the forest;
================== /etc/sssd/sssd.conf ================== [nss] debug_level = 9 filter_groups = root filter_users = root,lightdm,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd
[sssd] debug_level = 6 domains = n.c.example.org,a.c.example.org,c.example.org config_file_version = 2 services = nss,pam
[pam] pam_verbosity = 3 debug_level = 9
[domain/n.c.example.org] debug_level = 9
id_provider = ad access_provider = ad auth_provider = ad chpass_provider = ad ad_domain = n.c.example.org krb5_realm = N.C.EXAMPLE.ORG default_shell = /bin/bash override_home_directory = /home/%u use_fully_qualified_names = False ldap_id_mapping = False subdomains_provider = none
[domain/a.c.example.org] debug_level = 9 id_provider = ad access_provider = ad auth_provider = ad chpass_provider = ad ad_domain = a.c.example.org krb5_realm = A.C.EXAMPLE.ORG default_shell = /bin/bash use_fully_qualified_names = False ldap_id_mapping = False subdomains_provider = none
[domain/c.example.org] debug_level = 9 id_provider = ad access_provider = ad auth_provider = ad chpass_provider = ad ad_domain = c.example.org krb5_realm = C.EXAMPLE.ORG default_shell = /bin/bash use_fully_qualified_names = False ldap_id_mapping = False subdomains_provider = none
Best, Longina
sssd-users@lists.fedorahosted.org