All,
I have sssd set up and doing cross-domain AD authentication. I'm using the
simple access provider and conferring login access per group. Occasionally
per user.
I notice that if I do a basic 'realm permit <user>', that it adds this user
to the wrong AD domain:
Example:
realm permit processehcprofiler
adds it to my
JAPN.COMPANY.COM AD domain, not my local AD domain (AMER).
If I attempt to do to
realm permit -R
AMER.COMPANY.COM processehcprofiler(a)AMER.COMPANY.COM
I get this error:
realm: Couldn't find a matching realm
Through various experimentation, I find that if I do this:
realm permit -R
amer.company.com processehcprofiler(a)amer.company.com
that it works. As confirmed by 'sssctl user-checks processehcprofiler'
I notice my "domain" entries in /etc/sssd/sssd.conf file are all lower case:
domains =
amer.company.com,apac.company.com,emea.company.com,
japn.company.com
...
[
domain/amer.company.com]
ad_domain =
amer.company.com
...
[
domain/apac.company.com]
ad_domain =
apac.company.com
...
[
domain/emea.company.com]
ad_domain =
emea.company.com
...
[
domain/japn.company.com]
ad_domain =
japn.company.com
...
I'm used to Kerberos where domain names are uc and account names are lc.
So to do:
realm permit -R
AMER.COMPANY.COM processehcprofiler(a)AMER.COMPANY.COM
I have to re-write all the domain names in my sssd.conf file to uc?
Spike