Hello guys,
I’m running sssd version 1.11 in Ubuntu 14.04 LTS (1.11.5-1ubuntu3) to authenticate users from Active Directory from WIndows Server 2012 R2, and I’m trying to achieve logins with the User Principal Name for all users of the domain. But the UPN are always Enterprise Principal Names.
Let-me illustrate the problem with my user account:
Domain: local.example.com sAMAccountName: ferrao UPN: ferrao@example.com (there’s no local in the UPN)
I can successfully login with the sAMAccount atribute, which is fine, but I can’t login with ferrao@example.com which is my UPN. The optimum solution for me is to allow logins from sAMAccount and the UPN. If’s not possible, the UPN should be the right way instead of the sAMAccountName.
Another annoyance is the homedir pattern with those options in sssd.conf: default_shell = /bin/bash fallback_homedir = /home/%d/%u
What I would like to achieve is separated home directories from the EPN. For example:
/home/example.com/user /home/whatever.example.com/user
But with this pattern I can’t map the way I would like to do.
I’ve looked through man pages and was unable to find any answers for this issues.
Thanks in advance, Vinícius.
On Sun, 2014-05-25 at 22:31 +0000, Vinícius Ferrão wrote:
Hello guys,
I’m running sssd version 1.11 in Ubuntu 14.04 LTS (1.11.5-1ubuntu3) to authenticate users from Active Directory from WIndows Server 2012 R2, and I’m trying to achieve logins with the User Principal Name for all users of the domain. But the UPN are always Enterprise Principal Names.
Let-me illustrate the problem with my user account:
Domain: local.example.com sAMAccountName: ferrao UPN: ferrao@example.com (there’s no local in the UPN)
I can successfully login with the sAMAccount atribute, which is fine, but I can’t login with ferrao@example.com which is my UPN. The optimum solution for me is to allow logins from sAMAccount and the UPN. If’s not possible, the UPN should be the right way instead of the sAMAccountName.
Another annoyance is the homedir pattern with those options in sssd.conf: default_shell = /bin/bash fallback_homedir = /home/%d/%u
What I would like to achieve is separated home directories from the EPN. For example:
/home/example.com/user /home/whatever.example.com/user
But with this pattern I can’t map the way I would like to do.
I’ve looked through man pages and was unable to find any answers for this issues.
Thanks in advance, Vinícius.
Hi Not sure about the accountname bit but the 2012 schema has full support for rfc2307 out of the box. Store whatever home directory you like on a per user basis under their DN as: uinixHomeDirectory Likewise: loginShell with whatever shell they need. The 1.11.5 ad backend will automatically grab them with no further configuration needed. Steve
On May 25, 2014, at 19:51, steve steve@steve-ss.com wrote:
On Sun, 2014-05-25 at 22:31 +0000, Vinícius Ferrão wrote:
Hello guys,
I’m running sssd version 1.11 in Ubuntu 14.04 LTS (1.11.5-1ubuntu3) to authenticate users from Active Directory from WIndows Server 2012 R2, and I’m trying to achieve logins with the User Principal Name for all users of the domain. But the UPN are always Enterprise Principal Names.
Let-me illustrate the problem with my user account:
Domain: local.example.com sAMAccountName: ferrao UPN: ferrao@example.com (there’s no local in the UPN)
I can successfully login with the sAMAccount atribute, which is fine, but I can’t login with ferrao@example.com which is my UPN. The optimum solution for me is to allow logins from sAMAccount and the UPN. If’s not possible, the UPN should be the right way instead of the sAMAccountName.
Another annoyance is the homedir pattern with those options in sssd.conf: default_shell = /bin/bash fallback_homedir = /home/%d/%u
What I would like to achieve is separated home directories from the EPN. For example:
/home/example.com/user /home/whatever.example.com/user
But with this pattern I can’t map the way I would like to do.
I’ve looked through man pages and was unable to find any answers for this issues.
Thanks in advance, Vinícius.
Hi Not sure about the accountname bit but the 2012 schema has full support for rfc2307 out of the box. Store whatever home directory you like on a per user basis under their DN as: uinixHomeDirectory Likewise: loginShell with whatever shell they need. The 1.11.5 ad backend will automatically grab them with no further configuration needed. Steve
Hello Steve, thank you for the fast reply. I was aware of the AD ldap schema.
I’m avoiding to mess with Unix specific atributes inside AD because Microsoft started the decommissioning of Unix Services. Today still exists hacks to enable the UNIX Attributes tab in the User Preferences, but they can only be enabled activating Services for NIS from the Powershell.
I know it’s an option, but the whole point of using SSSD is to avoid messing with AD. If it’s impossible to achieve in the SSSD side, that will be the solution for the second issue.
Thank you, Vinícius.
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Sun, 2014-05-25 at 22:57 +0000, Vinícius Ferrão wrote:
Microsoft started the decommissioning of Unix Services.
Eh? http://technet.microsoft.com/en-us/library/cc731178.aspx#BKMK_command And even then, you only need it if you want to point and click in ADUC.
Yep!
Take a look here: http://technet.microsoft.com/en-us/library/dn303411.aspx
And in the link that you’ve posted, only applies to Windows 2012 Server and not the R2 variant. It’s still works, but has been removed, so we can’t really count on this. There will be always the option to hardcore the Unix attributes inside AD since it’s an LDAP implementation, but I was just avoiding it.
Thanks,
On May 26, 2014, at 4:08, steve steve@steve-ss.com wrote:
On Sun, 2014-05-25 at 22:57 +0000, Vinícius Ferrão wrote:
Microsoft started the decommissioning of Unix Services.
Eh? http://technet.microsoft.com/en-us/library/cc731178.aspx#BKMK_command And even then, you only need it if you want to point and click in ADUC.
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Mon, 2014-05-26 at 14:36 +0000, Vinícius Ferrão wrote:
Yep!
Take a look here: http://technet.microsoft.com/en-us/library/dn303411.aspx
Ah, I see. sfu is now deprecated. I thought you meant the posix classes were on their way out. Cheers, Steve
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Vinícius Ferrão Sent: 26. maj 2014 00:57 To: End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] Login with Enterprise Principal Name with AD backend
On May 25, 2014, at 19:51, steve steve@steve-ss.com wrote:
On Sun, 2014-05-25 at 22:31 +0000, Vinícius Ferrão wrote:
Hello guys,
I’m running sssd version 1.11 in Ubuntu 14.04 LTS (1.11.5-1ubuntu3) to authenticate users from Active Directory from WIndows Server 2012 R2, and I’m trying to achieve logins with the User Principal Name for all users of the domain. But the UPN are always Enterprise Principal Names.
Let-me illustrate the problem with my user account:
Domain: local.example.com sAMAccountName: ferrao UPN: ferrao@example.com (there’s no local in the UPN)
I can successfully login with the sAMAccount atribute, which is fine, but I can’t login with ferrao@example.com which is my UPN. The optimum solution for me is to allow logins from sAMAccount and the UPN. If’s not possible, the UPN should be the right way instead of the sAMAccountName.
Another annoyance is the homedir pattern with those options in sssd.conf: default_shell = /bin/bash fallback_homedir = /home/%d/%u
What I would like to achieve is separated home directories from the EPN. For example:
/home/example.com/user /home/whatever.example.com/user
But with this pattern I can’t map the way I would like to do.
I’ve looked through man pages and was unable to find any answers for this issues.
Thanks in advance, Vinícius.
Hi Not sure about the accountname bit but the 2012 schema has full support for rfc2307 out of the box. Store whatever home directory you like on a per user basis under their DN as: uinixHomeDirectory Likewise: loginShell with whatever shell they need. The 1.11.5 ad backend will automatically grab them with no further configuration needed. Steve
Hello Steve, thank you for the fast reply. I was aware of the AD ldap schema.
I’m avoiding to mess with Unix specific atributes inside AD because Microsoft started the decommissioning of Unix Services. Today still exists hacks to enable the UNIX Attributes tab in the User Preferences, but they can only be enabled activating Services for NIS from the Powershell.
I know it’s an option, but the whole point of using SSSD is to avoid messing with AD. If it’s impossible to achieve in the SSSD side, that will be the solution for the second issue.
Thank you, Vinícius.
Hi there, So what is the scenario for minimal possible AD mess - do not use at all Posix Attributes? If we don't plan to use Nis services, but need Posix schema and Posix attributes for searching uid/gid /autofs maps- are we not safe? It is important decision for our project, as we are just about to ask for "messing AD" by attaching gid number for existing AD groups and keep gid number assigning for all groups created in the future. It seems to be the rightest way to achieve unique uid/gid on the Linux clients, as we have different kind of storage (Sun storage) often with own algorithm of resolving Uids&group id from SID in AD forest with trusted domains. I even don't know how much mess is it with assigning gid number to all AD groups - is it just a piece of cake which MS admins would love? ;(
What could be the safe concept (not IPA yet ) for AD Linux integration with sssd to be on the safe side against MS decommissioning of Unix Services ?
Best Longina
On Mon, 2014-05-26 at 09:46 +0000, Longina Przybyszewska wrote:
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Vinícius Ferrão Sent: 26. maj 2014 00:57 To: End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] Login with Enterprise Principal Name with AD backend
On May 25, 2014, at 19:51, steve steve@steve-ss.com wrote:
On Sun, 2014-05-25 at 22:31 +0000, Vinícius Ferrão wrote:
Hello guys,
I’m running sssd version 1.11 in Ubuntu 14.04 LTS (1.11.5-1ubuntu3) to authenticate users from Active Directory from WIndows Server 2012 R2, and I’m trying to achieve logins with the User Principal Name for all users of the domain. But the UPN are always Enterprise Principal Names.
Let-me illustrate the problem with my user account:
Domain: local.example.com sAMAccountName: ferrao UPN: ferrao@example.com (there’s no local in the UPN)
I can successfully login with the sAMAccount atribute, which is fine, but I can’t login with ferrao@example.com which is my UPN. The optimum solution for me is to allow logins from sAMAccount and the UPN. If’s not possible, the UPN should be the right way instead of the sAMAccountName.
Another annoyance is the homedir pattern with those options in sssd.conf: default_shell = /bin/bash fallback_homedir = /home/%d/%u
What I would like to achieve is separated home directories from the EPN. For example:
/home/example.com/user /home/whatever.example.com/user
But with this pattern I can’t map the way I would like to do.
I’ve looked through man pages and was unable to find any answers for this issues.
Thanks in advance, Vinícius.
Hi Not sure about the accountname bit but the 2012 schema has full support for rfc2307 out of the box. Store whatever home directory you like on a per user basis under their DN as: uinixHomeDirectory Likewise: loginShell with whatever shell they need. The 1.11.5 ad backend will automatically grab them with no further configuration needed. Steve
Hello Steve, thank you for the fast reply. I was aware of the AD ldap schema.
I’m avoiding to mess with Unix specific atributes inside AD because Microsoft started the decommissioning of Unix Services. Today still exists hacks to enable the UNIX Attributes tab in the User Preferences, but they can only be enabled activating Services for NIS from the Powershell.
I know it’s an option, but the whole point of using SSSD is to avoid messing with AD. If it’s impossible to achieve in the SSSD side, that will be the solution for the second issue.
Thank you, Vinícius.
Hi there, So what is the scenario for minimal possible AD mess - do not use at all Posix Attributes? If we don't plan to use Nis services, but need Posix schema and Posix attributes for searching uid/gid /autofs maps- are we not safe? It is important decision for our project, as we are just about to ask for "messing AD" by attaching gid number for existing AD groups and keep gid number assigning for all groups created in the future. It seems to be the rightest way to achieve unique uid/gid on the Linux clients, as we have different kind of storage (Sun storage) often with own algorithm of resolving Uids&group id from SID in AD forest with trusted domains. I even don't know how much mess is it with assigning gid number to all AD groups - is it just a piece of cake which MS admins would love? ;(
What could be the safe concept (not IPA yet ) for AD Linux integration with sssd to be on the safe side against MS decommissioning of Unix Services ?
Hi You do not need sfu to use posix attributes in AD. HTH Steve
How? In fact, to late, already got it. What about schema for Posix users? It wasn't there before sfu.
Best, Longina
Hello Steve, thank you for the fast reply. I was aware of the AD ldap schema.
I’m avoiding to mess with Unix specific atributes inside AD because Microsoft started the decommissioning of Unix Services. Today still exists hacks to enable the UNIX Attributes tab in the User Preferences, but they can only be enabled activating Services for NIS from the Powershell.
I know it’s an option, but the whole point of using SSSD is to avoid messing with AD. If it’s impossible to achieve in the SSSD side, that will be the solution for the second issue.
Thank you, Vinícius.
Hi there, So what is the scenario for minimal possible AD mess - do not use at all Posix Attributes? If we don't plan to use Nis services, but need Posix schema and Posix attributes for searching uid/gid /autofs maps- are we not safe? It is important decision for our project, as we are just about to ask for "messing AD" by attaching gid number for existing AD groups and keep gid number assigning for all groups created in the future. It seems to be the rightest way to achieve unique uid/gid on the Linux clients, as we have different kind of storage (Sun storage) often with own algorithm of resolving Uids&group id from SID in AD forest with trusted domains. I even don't know how much mess is it with assigning gid number to all AD groups - is it just a piece of cake which MS admins would love? ;(
What could be the safe concept (not IPA yet ) for AD Linux integration with sssd to be on the safe side against MS decommissioning of Unix Services ?
Hi You do not need sfu to use posix attributes in AD. HTH Steve
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Mon, 2014-05-26 at 10:33 +0000, Longina Przybyszewska wrote:
How? In fact, to late, already got it. What about schema for Posix users? It wasn't there before sfu.
It was introduced as part of the R2 for 2003 and we've had it ever since. sfu sat on top of it and provided a point and click way windows admins could manage unix attributes from the safety of windows: ADUC (the UNIX tab). Recent discussion on the 2012 server from microsoft reinforces the view that rfc2307 in AD is here to stay: http://blogs.technet.com/b/filecab/archive/2012/10/09/nfs-identity-mapping-i... HTH Steve
Thanks for the links - they are both invaluable for me :) Finally got nice window to the hell ;)
Best,Longina
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of steve Sent: 26. maj 2014 12:49 To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] Login with Enterprise Principal Name with AD backend
On Mon, 2014-05-26 at 10:33 +0000, Longina Przybyszewska wrote:
How? In fact, to late, already got it. What about schema for Posix users? It wasn't there before sfu.
It was introduced as part of the R2 for 2003 and we've had it ever since. sfu sat on top of it and provided a point and click way windows admins could manage unix attributes from the safety of windows: ADUC (the UNIX tab). Recent discussion on the 2012 server from microsoft reinforces the view that rfc2307 in AD is here to stay: http://blogs.technet.com/b/filecab/archive/2012/10/09/nfs-identity-mapping-i... HTH Steve
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Mon, May 26, 2014 at 09:46:22AM +0000, Longina Przybyszewska wrote:
Hi there, So what is the scenario for minimal possible AD mess - do not use at all Posix Attributes? If we don't plan to use Nis services, but need Posix schema and Posix attributes for searching uid/gid /autofs maps- are we not safe? It is important decision for our project, as we are just about to ask for "messing AD" by attaching gid number for existing AD groups and keep gid number assigning for all groups created in the future. It seems to be the rightest way to achieve unique uid/gid on the Linux clients, as we have different kind of storage (Sun storage) often with own algorithm of resolving Uids&group id from SID in AD forest with trusted domains. I even don't know how much mess is it with assigning gid number to all AD groups - is it just a piece of cake which MS admins would love? ;(
What could be the safe concept (not IPA yet ) for AD Linux integration with sssd to be on the safe side against MS decommissioning of Unix Services ?
Best Longina
In my opinion, for the cases where you need to interact with several different client implementations, defining the IDs directly on the server side is the safest bet. It does, however, bring a bit more maintenance to keep the IDs from overlapping etc.
It's possible to achieve some level of compatibility with e.g. winbind using the ldap_idmap_autorid_compat option, but since you use completely 3rd party client software, then I guess the POSIX IDs are the best way.
I kind of doubt MSFT will ever remove the support for managing POSIX IDs from AD, that would seriously damage their interoperability.
On Sun, May 25, 2014 at 10:31:14PM +0000, Vinícius Ferrão wrote:
Hello guys,
I’m running sssd version 1.11 in Ubuntu 14.04 LTS (1.11.5-1ubuntu3) to authenticate users from Active Directory from WIndows Server 2012 R2, and I’m trying to achieve logins with the User Principal Name for all users of the domain. But the UPN are always Enterprise Principal Names.
Let-me illustrate the problem with my user account:
Domain: local.example.com sAMAccountName: ferrao UPN: ferrao@example.com (there’s no local in the UPN)
I can successfully login with the sAMAccount atribute, which is fine, but I can’t login with ferrao@example.com which is my UPN. The optimum solution for me is to allow logins from sAMAccount and the UPN. If’s not possible, the UPN should be the right way instead of the sAMAccountName.
I'll let Sumit answer the above, I think he's already working on making that possible.
Another annoyance is the homedir pattern with those options in sssd.conf: default_shell = /bin/bash fallback_homedir = /home/%d/%u
What I would like to achieve is separated home directories from the EPN. For example:
/home/example.com/user /home/whatever.example.com/user
But with this pattern I can’t map the way I would like to do.
I’ve looked through man pages and was unable to find any answers for this issues.
I wonder if I understand your issue correctly, would you like to use the UPN as a new template expansion? If so, then file a RFE please, that should be an easy one to implement.
On May 26, 2014, at 5:05, Jakub Hrozek jhrozek@redhat.com wrote:
On Sun, May 25, 2014 at 10:31:14PM +0000, Vinícius Ferrão wrote:
Hello guys,
I’m running sssd version 1.11 in Ubuntu 14.04 LTS (1.11.5-1ubuntu3) to authenticate users from Active Directory from WIndows Server 2012 R2, and I’m trying to achieve logins with the User Principal Name for all users of the domain. But the UPN are always Enterprise Principal Names.
Let-me illustrate the problem with my user account:
Domain: local.example.com sAMAccountName: ferrao UPN: ferrao@example.com (there’s no local in the UPN)
I can successfully login with the sAMAccount atribute, which is fine, but I can’t login with ferrao@example.com which is my UPN. The optimum solution for me is to allow logins from sAMAccount and the UPN. If’s not possible, the UPN should be the right way instead of the sAMAccountName.
I'll let Sumit answer the above, I think he's already working on making that possible.
Another annoyance is the homedir pattern with those options in sssd.conf: default_shell = /bin/bash fallback_homedir = /home/%d/%u
What I would like to achieve is separated home directories from the EPN. For example:
/home/example.com/user /home/whatever.example.com/user
But with this pattern I can’t map the way I would like to do.
I’ve looked through man pages and was unable to find any answers for this issues.
I wonder if I understand your issue correctly, would you like to use the UPN as a new template expansion? If so, then file a RFE please, that should be an easy one to implement.
Yep, it’s just more options to create a pattern of home directories. As example getting the contents after @ in the User Principal Name and making a folder in /home only with users of this UPN. So we can avoid conflicts like this:
john@example.com john@whatever.example.com john@i-will-migrate-to-red-hat-if-you-guys-implement-this.example.com
And so on.
The resulting generated home folders will be something like this:
/home/example.com/john /home/whatever.example.com/john /home/i-will-migrate-to-red-hat-if-you-guys-implement-this.example.com/john
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Mon, May 26, 2014 at 04:19:11PM +0000, Vinícius Ferrão wrote:
On May 26, 2014, at 5:05, Jakub Hrozek jhrozek@redhat.com wrote:
On Sun, May 25, 2014 at 10:31:14PM +0000, Vinícius Ferrão wrote:
Hello guys,
I’m running sssd version 1.11 in Ubuntu 14.04 LTS (1.11.5-1ubuntu3) to authenticate users from Active Directory from WIndows Server 2012 R2, and I’m trying to achieve logins with the User Principal Name for all users of the domain. But the UPN are always Enterprise Principal Names.
Let-me illustrate the problem with my user account:
Domain: local.example.com sAMAccountName: ferrao UPN: ferrao@example.com (there’s no local in the UPN)
I can successfully login with the sAMAccount atribute, which is fine, but I can’t login with ferrao@example.com which is my UPN. The optimum solution for me is to allow logins from sAMAccount and the UPN. If’s not possible, the UPN should be the right way instead of the sAMAccountName.
I'll let Sumit answer the above, I think he's already working on making that possible.
Another annoyance is the homedir pattern with those options in sssd.conf: default_shell = /bin/bash fallback_homedir = /home/%d/%u
What I would like to achieve is separated home directories from the EPN. For example:
/home/example.com/user /home/whatever.example.com/user
But with this pattern I can’t map the way I would like to do.
I’ve looked through man pages and was unable to find any answers for this issues.
I wonder if I understand your issue correctly, would you like to use the UPN as a new template expansion? If so, then file a RFE please, that should be an easy one to implement.
Yep, it’s just more options to create a pattern of home directories. As example getting the contents after @ in the User Principal Name and making a folder in /home only with users of this UPN. So we can avoid conflicts like this:
john@example.com john@whatever.example.com john@i-will-migrate-to-red-hat-if-you-guys-implement-this.example.com
And so on.
The resulting generated home folders will be something like this:
/home/example.com/john /home/whatever.example.com/john /home/i-will-migrate-to-red-hat-if-you-guys-implement-this.example.com/john
Can you file an RFE at https://fedorahosted.org/sssd/newticket ?
If not, I can file it for you, but I prefer if users voice their requirements themselves :-)
Thank you!
Hello Jakub,
On May 26, 2014, at 14:27, Jakub Hrozek jhrozek@redhat.com wrote:
On Mon, May 26, 2014 at 04:19:11PM +0000, Vinícius Ferrão wrote:
On May 26, 2014, at 5:05, Jakub Hrozek jhrozek@redhat.com wrote:
On Sun, May 25, 2014 at 10:31:14PM +0000, Vinícius Ferrão wrote:
Hello guys,
I’m running sssd version 1.11 in Ubuntu 14.04 LTS (1.11.5-1ubuntu3) to authenticate users from Active Directory from WIndows Server 2012 R2, and I’m trying to achieve logins with the User Principal Name for all users of the domain. But the UPN are always Enterprise Principal Names.
Let-me illustrate the problem with my user account:
Domain: local.example.com sAMAccountName: ferrao UPN: ferrao@example.com (there’s no local in the UPN)
I can successfully login with the sAMAccount atribute, which is fine, but I can’t login with ferrao@example.com which is my UPN. The optimum solution for me is to allow logins from sAMAccount and the UPN. If’s not possible, the UPN should be the right way instead of the sAMAccountName.
I'll let Sumit answer the above, I think he's already working on making that possible.
Another annoyance is the homedir pattern with those options in sssd.conf: default_shell = /bin/bash fallback_homedir = /home/%d/%u
What I would like to achieve is separated home directories from the EPN. For example:
/home/example.com/user /home/whatever.example.com/user
But with this pattern I can’t map the way I would like to do.
I’ve looked through man pages and was unable to find any answers for this issues.
I wonder if I understand your issue correctly, would you like to use the UPN as a new template expansion? If so, then file a RFE please, that should be an easy one to implement.
Yep, it’s just more options to create a pattern of home directories. As example getting the contents after @ in the User Principal Name and making a folder in /home only with users of this UPN. So we can avoid conflicts like this:
john@example.com john@whatever.example.com john@i-will-migrate-to-red-hat-if-you-guys-implement-this.example.com
And so on.
The resulting generated home folders will be something like this:
/home/example.com/john /home/whatever.example.com/john /home/i-will-migrate-to-red-hat-if-you-guys-implement-this.example.com/john
Can you file an RFE at https://fedorahosted.org/sssd/newticket ?
If not, I can file it for you, but I prefer if users voice their requirements themselves :-)
Thank you!
Done: https://fedorahosted.org/sssd/ticket/2340
I hope that I’ve explained exactly what I would like to describe.
About the other issue, login with email addresses or UPN addresses it’s already under progress, right?
Thank in advance,
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Sun, May 25, 2014 at 10:31:14PM +0000, Vinícius Ferrão wrote:
Hello guys,
I’m running sssd version 1.11 in Ubuntu 14.04 LTS (1.11.5-1ubuntu3) to authenticate users from Active Directory from WIndows Server 2012 R2, and I’m trying to achieve logins with the User Principal Name for all users of the domain. But the UPN are always Enterprise Principal Names.
Let-me illustrate the problem with my user account:
Domain: local.example.com sAMAccountName: ferrao UPN: ferrao@example.com (there’s no local in the UPN)
I can successfully login with the sAMAccount atribute, which is fine, but I can’t login with ferrao@example.com which is my UPN. The optimum solution for me is to allow logins from sAMAccount and the UPN. If’s not possible, the UPN should be the right way instead of the sAMAccountName.
Technically this is related to the topic discussed in the '[RFC] Change default regular-expressions for user names' thread (https://lists.fedorahosted.org/pipermail/sssd-devel/2014-May/019642.html) on sssd-devel. It's about finding a user by his Kerberos principal, the Enterprise Principal Names are aliases for the Kerberos principal of the user.
My plan is to include this use-case in the design for the feature discussed in the tread but I'm afraid it will only be available in the next major SSSD release.
HTH
bye, Sumit
Another annoyance is the homedir pattern with those options in sssd.conf: default_shell = /bin/bash fallback_homedir = /home/%d/%u
What I would like to achieve is separated home directories from the EPN. For example:
/home/example.com/user /home/whatever.example.com/user
But with this pattern I can’t map the way I would like to do.
I’ve looked through man pages and was unable to find any answers for this issues.
Thanks in advance, Vinícius. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users@lists.fedorahosted.org
-
Jakub Hrozek -
Longina Przybyszewska -
steve -
Sumit Bose -
Vinícius Ferrão