Hi,
In my setup (hello Hadoop!) I have the requirement to simplify user names from a trusted domain (Ad -> FreeIPA -> sssd) so they don’t contain “@“. Furthermore, “id username” needs to return information.
Thus bolke@ad.local mailto:bolke@ad.local needs to become bolke (or bolke_ad_local). And “id -Gn bolke” needs to return my group memberships.
I tried setting
auth_to_local = { RULE:[1:$1@$0](^.*@AD.LOCAL$)s/@AD.LOCAL// DEFAULT }
in /etc/krb5.conf, but that does not seem to work. How do I go about this?
Thanks! Bolke
On Fri, Jan 29, 2016 at 04:47:04PM +0100, Bolke de Bruin wrote:
Hi,
In my setup (hello Hadoop!) I have the requirement to simplify user names from a trusted domain (Ad -> FreeIPA -> sssd) so they don’t contain “@“. Furthermore, “id username” needs to return information.
Thus bolke@ad.local mailto:bolke@ad.local needs to become bolke (or bolke_ad_local). And “id -Gn bolke” needs to return my group memberships.
If it is only about the '@' sign I would recommend to use the sssd options full_name_format and re_expression.
full_name_format defines how the name return e.g by getent passwd or if looks like. E.g with
full_name_format = %1$s_%2$s
the name is returned as 'bolke_ad.local' or with
full_name_format = %1$s_%3$s
the name is returned as 'bolke_ad' if 'ad' is the NetBIOS domain name of your AD domain. Please note that you have to remove the SSSD cache with rm after a change of full_name_format.
re_expression tells SSSD how to parse the input and with
re_expression = (((?P<Name>[^@]+)_(?P<Domain>.+$))|((?P<Domain>[^\]+)\(?P<Name>.+$))|((?P<Name>[^@]+)@(?P<Domain>.+$))|(^(?P<Name>[^@\]+)$))
SSSD should be able to understand 'bolke_ad.local' or 'bolke_ad' as input as well.
You can find more details about the options in the sssd.conf man page.
HTH
bye, Sumit
I tried setting
auth_to_local = { RULE:[1:$1@$0](^.*@AD.LOCAL$)s/@AD.LOCAL// DEFAULT }
in /etc/krb5.conf, but that does not seem to work. How do I go about this?
Thanks! Bolke
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
On Fri, Jan 29, 2016 at 05:18:06PM +0100, Sumit Bose wrote:
On Fri, Jan 29, 2016 at 04:47:04PM +0100, Bolke de Bruin wrote:
Hi,
In my setup (hello Hadoop!) I have the requirement to simplify user names from a trusted domain (Ad -> FreeIPA -> sssd) so they don’t contain “@“. Furthermore, “id username” needs to return information.
Thus bolke@ad.local mailto:bolke@ad.local needs to become bolke (or bolke_ad_local). And “id -Gn bolke” needs to return my group memberships.
If it is only about the '@' sign I would recommend to use the sssd options full_name_format and re_expression.
full_name_format defines how the name return e.g by getent passwd or if looks like. E.g with
full_name_format = %1$s_%2$s
the name is returned as 'bolke_ad.local' or with
full_name_format = %1$s_%3$s
the name is returned as 'bolke_ad' if 'ad' is the NetBIOS domain name of your AD domain. Please note that you have to remove the SSSD cache with rm after a change of full_name_format.
re_expression tells SSSD how to parse the input and with
re_expression = (((?P<Name>[^@]+)_(?P<Domain>.+$))|((?P<Domain>[^\]+)\(?P<Name>.+$))|((?P<Name>[^@]+)@(?P<Domain>.+$))|(^(?P<Name>[^@\]+)$))
SSSD should be able to understand 'bolke_ad.local' or 'bolke_ad' as input as well.
You can find more details about the options in the sssd.conf man page.
HTH
bye, Sumit
I would just add that shortnames (that is, if you used only full_name_format=$1) would probably not work as tracked in: https://fedorahosted.org/sssd/ticket/2838
Unfortunately this is not so easy to fix until we finish some pending changes to our internal database..
sssd-users@lists.fedorahosted.org