Hi,
We're having an issue getting sssd to lookup non-qualified names across
our forest. From the documentation it appears this should be supported via
lookups done to the global catalog or failing that, queries against all
discovered subdomains.
*Setup:*
- Two domains,
site.com and
b.site.com.
- Host is joined to b.site.com., and is joined to the domain (net ads join)
- Users that will login can be found in either
b.site.com and
site.com
- usernames and uid's are unique within the forest
*What works:*
- login and lookup for accounts in
b.site.com
- login and lookup for
site.com accounts when fully qualified (user(a)site.com
)
*Desired behavior:*
- users from
site.com can use their non-qualified usernames to connect to
the host
Current Config:
[sssd]
domains =
b.site.com
config_file_version = 2
override_space = _
services = nss,pam
[
domain/b.site.com]
debug_level = 9
ldap_group_nesting_level = 5
id_provider = ad
auth_provider = ad
default_shell = /bin/bash
ldap_id_mapping = false
simple_allow_groups = groupa(a)site.com
use_fully_qualified_names = false
ad_enable_gc = true
*Other notes:*
- We attempted to use the setup described here
https://lists.fedorahosted.org/pipermail/sssd-users/2015-February/002648....,
however clients attempt to authenticate to each domain and fail as they are
only joined to
b.site.com.
- Made sure the following attributes were replicated to the global
catalog: uidNumber,gidNumber,loginShell,unixHomeDirectory
- logs show that an ldap query is only attempted against
b.site.com for the
non-qualified account.
- logs show that the root domain,
site.com is discovered along w/ its
domain controllers.
- version 1.13.4 (ubuntu 16.04)
Any suggestions?
Thanks,
-Mike