* Like in the comments, don't add that on the IPA server's sssd.conf,
only to the clients enrolled to the IPA domain.
* I cannot remember if it also drops the @domain for the groups as well.
You'll have to test this for yourself and see.
yes,
it applies to groups as well.
When you do
this, you *may* have to put the AD domain as the "default_realm" in
/etc/krb5.conf. If you do, just make sure that the "[domain_realm]"
section has a line for that host to the IPA realm. At least that's what
we've done, and things seem to work well for both the AD users and the
hosts in the IPA realm.
Amos
Hi folks,
I've got a simple FreeIPA topology with a 1-way trust to a nice
uncomplicated Active Directory environment. Unlike my other projects
there is no complex AD forest or topology to navigate; just a single
integrated domain.
Because of this we have short usernames working for login just fine;
works great. Instead of
"chris@domain.com"
I can login as "chris"
However I was asked if it was possible to also use short aka "not fully
qualified" names when looking at local 'id', user and group info
Basically the question was if it was possible to use short names for
everything including id views, getent output and group output
This is where my knowledge hits a wall -- I think this level of username
and group handling is fed into NSS via IPA? If so is there a way to
alter FreeIPA to use unqualified names -- presumably via altering or
creating a new Trust View and applying it to the hosts? Not really sure
if this is sensible or even advisable but I've been asked to research
Here is an example:
## Short login works fine! my AD username is
"dagdigian@example.com" ...
$ ssh
dagdigian@172.17.0.57
Last login: Thu Oct 22
22:37:32 2020 from 10.10.210.63
## But user are asking about the OS view of usernames and
groups:
## Is there a way to use non fully qualified names
in these sorts of views, possibly via new Trust Views on the IPA server
side?
## Is this even reasonable to consider doing?
[dagdigian@example.com@ansible-testhost-01
~]$ id
uid=1087803012(dagdigian@example.com)
gid=1087803012(dagdigian@example.com)
groups=1087803012(dagdigian@example.com),692600000(admins@ipa.example.com),692600010(example_admins_posix@exaple.com),1087800513(domain
users@example.com),1087803220(consultants@example.com)
[dagdigian@example.com@ansible-testhost-01
~]$
Thanks!
Regards
Chris