Running IPA with an AD trust. Users are in AD. Trying to use full_name_format = %1$s to strip the domain from user names. This appears to break supplemental groups in strange ways.
On the IPA server:
Without full_name_format:
# id orion@ad.nwra.com uid=470202603(orion@ad.nwra.com) gid=470202603(orion@ad.nwra.com) groups=470202603(orion@ad.nwra.com),470200513(domain users@ad.nwra.com),470204703(pirep rd users@ad.nwra.com),470204714(wireless access@ad.nwra.com),470204715(nwra-users@ad.nwra.com),470204701(boulder@ad.nwra.com),470207608(heimdall users@ad.nwra.com),470200512(domain admins@ad.nwra.com),470207124(andreas admins@ad.nwra.com)
With:
# id orion@ad.nwra.com uid=470202603(orion) gid=470202603(orion) groups=470202603(orion)
If I add:
default_domain_suffix = ad.nwra.com
# id orion uid=470202603(orion) gid=470202603(orion) groups=470202603(orion),470200512(domain admins),470207608(heimdall users),470204714(wireless access),470204715(nwra-users),470204701(boulder),470204703(pirep rd users),470207124(andreas admins),470200513(domain users)
Which I guess makes some sense as you'd need to add the domain suffix back on to find the groups.
But this appears to completely break IPA clients (with full_name_format = %1$s and default_domain_suffix = ad.nwra.com):
# id orion@ad.nwra.com id: orion@ad.nwra.com: no such user # id orion id: orion: no such user
From looking at the server logs, it looks like only the IPA domain is searched
If I reset the server back to normal (drop full_name_format and default_domain_suffix):
# id orion uid=470202603(orion) gid=470202603(orion) groups=470202603(orion)
I don't get any supplemental groups. I see sssd errors like:
(Mon Mar 30 15:20:52 2015) [sssd[be[nwra.com]]] [sysdb_mod_group_member] (0x0400): Error: 2 (No such file or directory) (Mon Mar 30 15:20:52 2015) [sssd[be[nwra.com]]] [sysdb_update_members_ex] (0x0020): Could not add member [orion] to group [name=domain admins,cn=groups,cn=nwra.com,cn=sysdb]. Skipping.
Is t trying "cn=groups,cn=nwra.com,cn=sysdb" instead of "cn=groups,cn=ad.nwra.com,cn=sysdb"