Yes, correct.  I converted "[domain/XXX]" lines and ad_domain lines to upper case.  Example:

   [domain/EMEA.COMPANY.COM]
   ...
   ad_domain = EMEA.COMPANY.COM
   krb5_realm = EMEA.COMPANY.COM

That allows me to do a 'realm permit' specifying upper case for my domain.  For example


Spike








On Mon, May 6, 2019 at 5:01 AM Sumit Bose <sbose@redhat.com> wrote:
Hi,

thank you for reporting this behavior. realm is indeed a bit too picky
about the case here. At least for AD the case should be ignored.

On Sun, Apr 14, 2019 at 09:44:56AM -0500, Spike White wrote:
> BTW, yes -- that works. If I transform in sssd.conf every "[domain/xxx]"
> line:
>
>     [domain/{amer,emea,apac,japn}.company.com]

Am I correct that you not only changed the "[domain/xxx] lines but the
"ad_domain" lines as well?

bye,
Sumit

>
> to upper case and restart sssd,  I can then "realm permit" in upper case.
>
>     realm permit -R AMER.COMPANY.COM spike_white@COMPANY.COM
>
> Curiously, in sssd.conf, it records the user in lower case:
>
>     simple_allow_users = processehcprofiler@amer.company.com,
> spike_white@amer.company.com
>
> No problem with that for me;  I'm really hitting against AD -- which is
> case-insensitive.
>
> BTW, I checked -- I did my original realm join against AMER.COMPANY.COM
> (all upper-case).
>
> Spike
>
>
> On Sat, Apr 13, 2019 at 3:59 PM Spike White <spikewhitetx@gmail.com> wrote:
>
> > All,
> >
> > I have sssd set up and doing cross-domain AD authentication.  I'm using
> > the simple access provider and conferring login access per group.
> > Occasionally per user.
> >
> > I notice that if I do a basic 'realm permit <user>', that it adds this
> > user to the wrong AD domain:
> >
> > Example:
> >
> > realm permit processehcprofiler
> >
> > adds it to my JAPN.COMPANY.COM AD domain, not my local AD domain (AMER).
> >
> > If I attempt to do to
> >
> > realm permit -R AMER.COMPANY.COM processehcprofiler@AMER.COMPANY.COM
> >
> > I get this error:
> >
> > realm: Couldn't find a matching realm
> >
> > Through various experimentation, I find that if I do this:
> >
> > realm permit -R amer.company.com processehcprofiler@amer.company.com
> >
> > that it works.  As confirmed by 'sssctl user-checks processehcprofiler'
> >
> > I notice my "domain" entries in /etc/sssd/sssd.conf file are all lower
> > case:
> >
> > domains = amer.company.com,apac.company.com,emea.company.com,
> > japn.company.com
> > ...
> > [domain/amer.company.com]
> > ad_domain = amer.company.com
> > ...
> > [domain/apac.company.com]
> > ad_domain = apac.company.com
> > ...
> > [domain/emea.company.com]
> > ad_domain = emea.company.com
> > ...
> > [domain/japn.company.com]
> > ad_domain = japn.company.com
> > ...
> >
> > I'm used to Kerberos where domain names are uc and account names are lc.
> > So to do:
> >
> > realm permit -R AMER.COMPANY.COM processehcprofiler@AMER.COMPANY.COM
> >
> > I have to re-write all the domain names in my sssd.conf file to uc?
> >
> > Spike
> >

> _______________________________________________
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org