On Fri, 23 Jan 2015 15:50:52 +0100
Lukas Slebodnik <lslebodn(a)redhat.com> wrote:
On (23/01/15 14:33), Longina Przybyszewska wrote:
>
>> On (21/01/15 12:26), Longina Przybyszewska wrote:
>> >Hi,
>> >Is it possible to configure SSSD to make possible to login with
>> >short names
>> across trusty domains?
>> >The sAMAccount name attribute in AD are unique, and all users
>> >have Posix
>> attributes assigned so there is no risk for name mismatch between
>> different domains.
>> >
>> >I use ad provider and all default setting for AD
>> >backend(gc_search_enable) ;
>> >
>> >If use_fully_qualified_names = False only users from client
>> >machines native
>> domain can login with shortnames; Users from other domains are
>> "unknown".
>> >
>> >I can successfully make ldapsearch to Global Catalog in top
>> >domain for login
>> names=shortname for users from different domains:
>> >
>> >ldapsearch -H ldap://ldap.c.example.com:3268 -Y GSSAPI -N -b
>> "dc=c,dc=example,dc=org"
>> "(&(objectClass=user)(sAMAccountName=user))"
>> >user = user-a from
a.c.example.org
>> >user = user-b from
b.c.example.org
>> >
>> If there aren't the same user names(overlapping IDs) in different
>> AD domains then it could be possible to configure separate domains
>> in sssd.conf.
>>
>> Each domain should have disabled fqdn.
>> use_fully_qualified_names = false
>>
>> If you plan to use id_provider = ad then you should also disable
>> subdomain provider to avoin conflicts with other sssd domains.
>> subdomains_provider = none
>>
>> I didn't test such setup. It needn't work but it worth to try it.
>
>It seems to work! Thanks!
>I commented out default_domain_suffix.
>
>Yes, we have unique Posix uidNumbers in the whole AD forest.
Could you share sanitized sssd.conf?
Just in case someone else would like to solve the same problem.
What happens to group memberships that span multiple domains this way ?
Simo.
--
Simo Sorce * Red Hat, Inc * New York