On (21/01/15 12:26), Longina Przybyszewska wrote:
Hi,
Is it possible to configure SSSD to make possible to login with short names across
trusty domains?
The sAMAccount name attribute in AD are unique, and all users have Posix attributes
assigned so there is no risk for name mismatch between different domains.
I use ad provider and all default setting for AD backend(gc_search_enable) ;
If use_fully_qualified_names = False only users from client machines native domain can
login with shortnames; Users from other domains are "unknown".
I can successfully make ldapsearch to Global Catalog in top domain for login
names=shortname for users from different domains:
ldapsearch -H ldap://ldap.c.example.com:3268 -Y GSSAPI -N -b
"dc=c,dc=example,dc=org"
"(&(objectClass=user)(sAMAccountName=user))"
user = user-a from
a.c.example.org
user = user-b from
b.c.example.org
If there aren't the same user names(overlapping IDs) in different AD domains
then it could be possible to configure separate domains in sssd.conf.
Each domain should have disabled fqdn.
use_fully_qualified_names = false
If you plan to use id_provider = ad then you should also disable
subdomain provider to avoin conflicts with other sssd domains.
subdomains_provider = none
I didn't test such setup. It needn't work but it worth to try it.
LS