Hi,
We have a problem after upgrade from 11.7 to 12.5 version
Identity lookups periodically change from short name to fully qualified name for users
from trust domains.
In turn, users get lockout of files, or can not login because nfsidmap setup can't
figure out id mapping.
This setup worked in 11.7 version
(+several domains identically configured)
[
domain/A.C.DOM.ORG]
debug_level = 9
cache_credentials = true
id_provider = ad
dyndns_update = false
access_provider = ad
auth_provider = ad
chpass_provider = ad
ad_domain =
a.c.dom.org
krb5_realm =
A.C.DOM.ORG
use_fully_qualified_names = false
subdomain_provider = none
ldap_id_mapping = false
krb5_lifetime = 10h
krb5_renewable_lifetime = 7d
krb5_renew_interval = 1h
ad_gpo_access_control = disabled
ad_gpo_default_right = permit
With my new setup - Ids from trust domains can't resolve as short names.
Only ids from native for client machine domain do.
Cross realm membership resolves fine.
[nss]
debug_level = 7
filter_groups = root
filter_users =
root,lightdm,ldap,named,avahi,haldeamon,dbus,radvd,tomcat,radiusd,news,mailman,nscd
[sssd]
debug_level = 9
domains =
A.C.DOM.ORG,N.C.DOM.ORG,C.DOM.ORG
config_file_version = 2
services = nss, pam,ssh
[pam]
pam_verbosity = 3
debug_level = 9
[
domain/A.C.DOM.ORG]
debug_level = 9
id_provider = ad
dyndns_update = true
ad_hostname =
a431.a.c.dom.org
ignore_group_members = true
use_fully_qualified_names = false
ldap_id_mapping = false
ldap_user_name = sAMAccountName
#ldap_user_principal = sAMAccountName
ad_site = DOM
Best,
Longina