Thanks all, the suggestions were incredibly helpful and are working well!  

That strikes wishlist item #1 off my list, now on to the next "wish" -- seeing if FreeIPA's LDAP service can be used to authenticate AD users for scenarios where we can't provide a full IPA client enrollment option.

Regards
Chris


Amos via FreeIPA-users
October 30, 2020 at 3:21 PM
On Mon, Oct 26, 2020 at 8:04 PM Louis Abel via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:


* Like in the comments, don't add that on the IPA server's sssd.conf, only to the clients enrolled to the IPA domain.
* I cannot remember if it also drops the @domain for the groups as well. You'll have to test this for yourself and see.


yes, it applies to groups as well.

When you do this, you *may* have to put the AD domain as the "default_realm" in /etc/krb5.conf.  If you do, just make sure that the "[domain_realm]" section has a line for that host to the IPA realm.  At least that's what we've done, and things seem to work well for both the AD users and the hosts in the IPA realm.

Amos




_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Chris Dagdigian
October 23, 2020 at 8:25 AM
Hi folks,

I've got a simple FreeIPA topology with a 1-way trust to a nice uncomplicated Active Directory environment. Unlike my other projects there is no complex AD forest or topology to navigate; just a single integrated domain.

Because of this we have short usernames working for login just fine; works great.  Instead of "chris@domain.com" I can login as "chris"

However I was asked if it was possible to also use short  aka "not fully qualified" names when looking at local 'id', user and group info

Basically the question was if it was possible to use short names for everything including id views, getent output and group output

This is where my knowledge hits a wall -- I think this level of username and group handling is fed into NSS via IPA? If so is there a way to alter FreeIPA to use unqualified names -- presumably via altering or creating a new Trust View and applying it to the hosts?  Not really sure if this is sensible or even advisable but I've been asked to research

Here is an example:


## Short login works fine! my AD username is "dagdigian@example.com" ...
$ ssh dagdigian@172.17.0.57
Last login: Thu Oct 22 22:37:32 2020 from 10.10.210.63


## But user are asking about the OS view of usernames and groups:
## Is there a way to use non fully qualified names in these sorts of views, possibly via new Trust Views on the IPA server side?
## Is this even reasonable to consider doing?

[dagdigian@example.com@ansible-testhost-01 ~]$ id

uid=1087803012(dagdigian@example.com) gid=1087803012(dagdigian@example.com) groups=1087803012(dagdigian@example.com),692600000(admins@ipa.example.com),692600010(example_admins_posix@exaple.com),1087800513(domain users@example.com),1087803220(consultants@example.com)
[dagdigian@example.com@ansible-testhost-01 ~]$




Thanks!

Regards
Chris