On Wed, Nov 02, 2016 at 03:59:18PM -0000, downloader009(a)gmail.com wrote:
I have a domain "example.com" which has several child domains
"abc.example.com", "def.example.com", "ghi.example.com".
I have joined my CentOS 6.8 server to the domain "example.com" using adcli and
my sssd version is sssd-1.13.3-22
Here is my sssd.conf:
====================== BEGIN =======================
services = nss, pam, ssh
config_file_version = 2
domains = example.com
pam_id_timeout = 20
id_provider = ad
auth_provider = ad
ldap_id_mapping = true
cache_credentials = true
override_homedir = /home/%u
subdomain_enumerate = all
krb5_auth_timeout = 20
override_shell = /bin/bash
======================== END =========================
I have user1 in example.com
and user2 in abc.example.com
when I run "getent passwd user1" I get the expected output.
But when I run "getent passwd user2", I do not get any output.
And when I run "getent passwd user2(a)abc.example.com", I get the output as
I would like to use only the username (without the child domain name suffix) for all
purposes (login/id command/getent command etc).
How can I get the getent output for the IDs in the child domain to be the same as the
getent output for IDs in the parent domain?
I have read the man pages and also tried the "use_fully_qualified_names =
false" option. It didn't help the child domain IDs
The trusted domains are always fully qualified, this is currently
hardcoded and cannot be changed. One workaround
you can try is to set:
full_name_format = %1$s
However, this is known to work only with sssd-1.14+. I've seen quite a
few issues reported by people who tried this option with IPA-AD trust
setups, but I don't remember off-hand if the same issues would appear
with AD direct integration.
The input must always be qualified, though, this might only change in
the upcoming version (1.15).
The other option is to disable the subdomains provider and declare both
domains separately in the configuration file.