On (23/01/15 14:33), Longina Przybyszewska wrote:
>
>> On (21/01/15 12:26), Longina Przybyszewska wrote:
>> >Hi,
>> >Is it possible to configure SSSD to make possible to login with
>> >short names
>> across trusty domains?
>> >The sAMAccount name attribute in AD are unique, and all users have
>> >Posix
>> attributes assigned so there is no risk for name mismatch between
>> different domains.
>> >
>> >I use ad provider and all default setting for AD
>> >backend(gc_search_enable) ;
>> >
>> >If use_fully_qualified_names = False only users from client machines
>> >native
>> domain can login with shortnames; Users from other domains are
>> "unknown".
>> >
>> >I can successfully make ldapsearch to Global Catalog in top domain
>> >for login
>> names=shortname for users from different domains:
>> >
>> >ldapsearch -H ldap://ldap.c.example.com:3268 -Y GSSAPI -N -b
>> "dc=c,dc=example,dc=org"
>> "(&(objectClass=user)(sAMAccountName=user))"
>> >user = user-a from
a.c.example.org
>> >user = user-b from
b.c.example.org
>> >
>> If there aren't the same user names(overlapping IDs) in different AD
>> domains then it could be possible to configure separate domains in
sssd.conf.
>>
>> Each domain should have disabled fqdn.
>> use_fully_qualified_names = false
>>
>> If you plan to use id_provider = ad then you should also disable
>> subdomain provider to avoin conflicts with other sssd domains.
>> subdomains_provider = none
>>
>> I didn't test such setup. It needn't work but it worth to try it.
>
>It seems to work! Thanks!
>I commented out default_domain_suffix.
>
>Yes, we have unique Posix uidNumbers in the whole AD forest.
Could you share sanitized sssd.conf?
Just in case someone else would like to solve the same problem.
Sure. We are still testing - login, nfs-automounts seem to work with some replacements for
group memberships.
Works well for groups local for server-client domain;
Resources, also, servers and client machines are in the same domain
a.c.example.org .
Users are separated from resources - in different domains {b,d,e,f..}.c.example.org
User's objects attribute, sAMAccountname and Posix attribute uidNumber are unique in
the forest;
==================
/etc/sssd/sssd.conf
==================
[nss]
debug_level = 9
filter_groups = root
filter_users =
root,lightdm,ldap,named,avahi,haldaemon,dbus,radvd,tomcat,radiusd,news,mailman,nscd
[sssd]
debug_level = 6
domains =
n.c.example.org,a.c.example.org,c.example.org
config_file_version = 2
services = nss,pam
[pam]
pam_verbosity = 3
debug_level = 9
[
domain/n.c.example.org]
debug_level = 9
id_provider = ad
access_provider = ad
auth_provider = ad
chpass_provider = ad
ad_domain =
n.c.example.org
krb5_realm =
N.C.EXAMPLE.ORG
default_shell = /bin/bash
override_home_directory = /home/%u
use_fully_qualified_names = False
ldap_id_mapping = False
subdomains_provider = none
[
domain/a.c.example.org]
debug_level = 9
id_provider = ad
access_provider = ad
auth_provider = ad
chpass_provider = ad
ad_domain =
a.c.example.org
krb5_realm =
A.C.EXAMPLE.ORG
default_shell = /bin/bash
use_fully_qualified_names = False
ldap_id_mapping = False
subdomains_provider = none
[
domain/c.example.org]
debug_level = 9
id_provider = ad
access_provider = ad
auth_provider = ad
chpass_provider = ad
ad_domain =
c.example.org
krb5_realm =
C.EXAMPLE.ORG
default_shell = /bin/bash
use_fully_qualified_names = False
ldap_id_mapping = False
subdomains_provider = none
Best,
Longina