On 16.04.19 10:50, Sumit Bose via FreeIPA-users wrote:
On Tue, Apr 16, 2019 at 09:06:44AM +0200, Ronald Wimmer via
> I have managed to login to an IPA client with a non-existing user.
> My AD user is z123456(a)addomain.mydomain.at and I have created a similar user
> called i123456(a)ipadomain.mydomain.at. What happened now is that I could log
> in with the i-User and what I get to see after logging in is this:
> [email@example.com(a)as12314 ~]$ id
> [firstname.lastname@example.org(a)as12314 ~]$ whoami
> The user i123456(a)addomain.mydomain.at does NOT exist.
> addomain is set as default domain in the client's sssd.conf.
Does this change if you remove the default_domain_suffix option from the
client? Is this option set on the server as well? What is currently
displayed for the user on the server?
In general default_domain_suffix should not be used anymore, better is
to define a domain lookup order on the IPA server.
I could not reproduce it anymore. UID and GID of the user were correct.
Maybe I used the POSIX group I mapped to an AD group in an incorrect
way. The group had the actual AD group as an external member and I also
added the IPA user (i123456) to this exact POSIX group. I bet that it is
not recommended to do that?
Where should the domain lookup order on the IPA servers be specified?