On Fri, Jun 28, 2013 at 01:12:37AM +0200, Mathieu Bouillaguet wrote:
I have two more questions for my own knowledge and maybe those of
others :
* 1st question :
If 2 users, a local user called "aminata" and a domain user
"aminata@domain" exist, how does sssd choose who we are when we ssh in
the system with a username of "aminata" and the re_expressions is set to:
First, what is a "local domain" ? Does that mean that the user resides
in /etc/passwd ?
If so, then the order of databases that is queried depends on the
configuration in /etc/nsswitch.conf, in particular the lines starting
with "passwd" for users and "groups" for groups. You should use
"files
sss" because you still want root and users that represent various system
services to be queried locally first.
"(((?P<domain>[^\\]+)\\(?P<name>.+$))|((?P<name>[^@]+)@(?P<domain>.+$))|(^(?P<name>[^(a)\\]+)$))"
which allows three different styles for user names:
• username
• username(a)domain.name <mailto:username@domain.name>
• domain\username
You can ssh in as:
ssh
system.example.com -l username(a)domain.name
for instance
?
* 2nd question :
If we have two AD domains A and B. A linux machine is in the domain B,
and we want the users from domain A to be able to authenticate in the
linux machine. Our sssd configuration is id_provider=ldap
(
ldaps://auth.domainA.com), auth_provider=krb5 (
auth.domainA.com). A
keytab was generated for the linux machine on domain B AD and installed
on the machine. Is this architecture possible without using a trust
relationship from domain A to domain B ? My first thought is that it's
not possible since the linux system belonging to domain B needs to be
able to browse the directory of domain A.
No, I don't think this is possible, you should kinit against the KDC
that generated the keytab.
Thanks in advance for your replies.
Mathieu