> On (21/01/15 12:26), Longina Przybyszewska wrote:
> >Hi,
> >Is it possible to configure SSSD to make possible to login with short names
> across trusty domains?
> >The sAMAccount name attribute in AD are unique, and all users have Posix
> attributes assigned so there is no risk for name mismatch between different
> domains.
> >
> >I use ad provider and all default setting for AD
> >backend(gc_search_enable) ;
> >
> >If use_fully_qualified_names = False only users from client machines native
> domain can login with shortnames; Users from other domains are
> "unknown".
> >
> >I can successfully make ldapsearch to Global Catalog in top domain for login
> names=shortname for users from different domains:
> >
> >ldapsearch -H ldap://ldap.c.example.com:3268 -Y GSSAPI -N -b
> "dc=c,dc=example,dc=org"
> "(&(objectClass=user)(sAMAccountName=user))"
> >user = user-a from
a.c.example.org
> >user = user-b from
b.c.example.org
> >
> If there aren't the same user names(overlapping IDs) in different AD
> domains then it could be possible to configure separate domains in sssd.conf.
>
> Each domain should have disabled fqdn.
> use_fully_qualified_names = false
>
> If you plan to use id_provider = ad then you should also disable subdomain
> provider to avoin conflicts with other sssd domains.
> subdomains_provider = none
>
> I didn't test such setup. It needn't work but it worth to try it.
It seems to work! Thanks!
I commented out default_domain_suffix.
Yes, we have unique Posix uidNumbers in the whole AD forest.
Could you share
sanitized sssd.conf?
Just in case someone else would like to solve the same problem.
LS