This time with attachments ;-)
HI,
Sorry for delay...
In attachements sssd_nss.log and sssd_a.c.realm.log
Login with UPN (mail name) does not work here:
root@adm-lnx438:/tmp# getent passwd user1@realm
user1@n.c.realm@a.c.realm:*:10002:30000000:XXXXX XXXXX:/home/user1:/bin/bash
my sssd.conf:
[nss]
debug_level = 9
filter_groups = root
filter_users = root
[sssd]
debug_level = 9
domains = a.c.realm
config_file_version = 2
services = nss,pam,ssh
[pam]
pam_verbosity = 3
debug_level = 9
[domain/a.c.realm]
debug_level = 9
ad_domain = a.c.realm
ad_site = SITE
ad_hostname = adm-lnx438.a.c.realm
id_provider = ad
access_provider = ad
auth_provider = ad
chpass_provider = ad
dyndns_update = true
dyndns_update_ptr = false
krb5_realm = A.C.REALM
krb5_use_fast = try
krb5_lifetime = 10h
krb5_renewable_lifetime = 7d
krb5_renew_interval = 1h
krb5_confd_path = /var/lib/sss/pubconf/krb5.include.d
###
use_fully_qualified_names = true
ldap_id_mapping = false
ldap_use_tokengroup = false
ad_gpo_access_control = disabled
best,
Longina
-----Oprindelig meddelelse-----
Fra: Longina Przybyszewska [mailto:longina@sdu.dk]
Sendt: 11. januar 2016 16:25
Til: End-user discussions about the System Security Services Daemon
Emne: [SSSD-users] Re: localauth plugin and some other questions
> -----Oprindelig meddelelse-----
> Fra: Sumit Bose [mailto:sbose@redhat.com]
> Sendt: 8. januar 2016 11:23
> Til: End-user discussions about the System Security Services Daemon
> Emne: [SSSD-users] Re: localauth plugin and some other questions
>
> On Wed, Jan 06, 2016 at 01:11:50PM +0000, Longina Przybyszewska wrote:
> >
> > Thank you for the answers.
> > There are still some issues:
> >
> >
> > > > 2.
> > > > I tried login with setup for UPN/sAMAccountName login- without
> success.
> > > > Is login with cross realm's UPN or short sAMAccoutName
supported
in
> this
> > > sssd version?
> > > >
> > > > In database for default domain cache_a.c.realm.db user object
> > > > has
> > > following names (for 'use_fully_qualified_names = true' setup):
> > > >
> > > > dn: name = user1(a)n.c.realm ...
> > > > name: user1(a)n.c.realm
> > > > nameAlias. user1(a)n.c.realm
> > > > UserPrincipalName: user1@REALM
> > > > canonicalUserPrincipalName: user1(a)N.C.REALM
> > >
> > > The plain sAMAccoutName 'user1' will not work because
> > > use_fully_qualified_names = true. What should work is 'DOM\user1'
> > > where DOM is the NetBIOS domain name of n.c.realm domain.
> > > Additionally I would expect that user1@REALM should work.
> > >
> >
> > Right. user1(a)n.c.realm and DOM\user1 login works.
> >
> > Login as user1@REALM (and user1@realm) does not work.
>
> hm, that's odd, can you send me the logs when trying to login with
> user1@REALM?
>
> >
> > getent passwd user1@realm
> > user1@n.c.realm@a.c.realm:*:10002:30000000::/home/user1:/bin/bash
>
> 'user1@n.c.realm(a)a.c.realm' looks odd, do you map the user name to an
> attribute other than sAMAccoutName?
>
I use " id_provider = ad" and do not map specifically user name to any
attribute..
Attributes in AD:
uid = user1
userPrincipalName = user1@realm
sAMAccountName = user1
SSSD defaults:
ldap_user_name = uid
ldap_user_principal = krbPrincipalName
krb5_use_enterprise_principal = true
There is no krbPrincipalName attribute in user object in AD .
Sssd.conf:
[nss]
debug_level = 9
filter_groups = root
filter_users = root
[sssd]
debug_level = 9
domains = a.c.realm
config_file_version = 2
services = nss, pam,ssh
[pam]
pam_verbosity = 3
debug_level = 9
[domain/a.c.realm]
debug_level = 9
ldap_use_tokengroup = false
dyndns_update = true
dyndns_update_ptr = true
id_provider = ad
access_provider = ad
auth_provider = ad
chpass_provider = ad
krb5_realm = A.C.REALM
krb5_use_fast = try
krb5_confd_path = /var/lib/sss/pubconf/krb5.include.d
ad_domain = a.c.realm
ad_site = SITE
ad_hostname = adm-lnx438.a.c.realm
use_fully_qualified_names = true
ldap_id_mapping = false
> >
> > The best would be able to login with sAMAccountName; The next best
> > with upn, then with fqdn.
> >
> > I tried without success the following setup for login with short names :
> > [nss]
> > subdomain_inherit = ldap_user_principal
> >
> > [domain/a.c.realm]
> > ..
> > ldap_user_principal = sAMAccountName
>
> this won't work because ldap_user_principal value is used as a
> Kerberos principal without further processing.
>
> You might want to try the 'default_domain_suffix' option, see man
> sssd.conf for details.
>
Manual says, that 'default_domain_suffix' is usable if all users are located in
trusted domain while computer's are in primary domain.
With this option, users can login with short names.
Our users are in several trusted domains; what should be the value of
'default_domain_suffix' ?
> >
> >