Hi,
thank you for reporting this behavior. realm is indeed a bit too picky
about the case here. At least for AD the case should be ignored.
On Sun, Apr 14, 2019 at 09:44:56AM -0500, Spike White wrote:
BTW, yes -- that works. If I transform in sssd.conf every
"[domain/xxx]"
line:
[
domain/{amer,emea,apac,japn}.company.com]
Am I correct that you not only changed the "[domain/xxx] lines but the
"ad_domain" lines as well?
bye,
Sumit
to upper case and restart sssd, I can then "realm permit" in upper case.
realm permit -R
AMER.COMPANY.COM spike_white(a)COMPANY.COM
Curiously, in sssd.conf, it records the user in lower case:
simple_allow_users = processehcprofiler(a)amer.company.com,
spike_white(a)amer.company.com
No problem with that for me; I'm really hitting against AD -- which is
case-insensitive.
BTW, I checked -- I did my original realm join against
AMER.COMPANY.COM
(all upper-case).
Spike
On Sat, Apr 13, 2019 at 3:59 PM Spike White <spikewhitetx(a)gmail.com> wrote:
> All,
>
> I have sssd set up and doing cross-domain AD authentication. I'm using
> the simple access provider and conferring login access per group.
> Occasionally per user.
>
> I notice that if I do a basic 'realm permit <user>', that it adds
this
> user to the wrong AD domain:
>
> Example:
>
> realm permit processehcprofiler
>
> adds it to my
JAPN.COMPANY.COM AD domain, not my local AD domain (AMER).
>
> If I attempt to do to
>
> realm permit -R
AMER.COMPANY.COM processehcprofiler(a)AMER.COMPANY.COM
>
> I get this error:
>
> realm: Couldn't find a matching realm
>
> Through various experimentation, I find that if I do this:
>
> realm permit -R
amer.company.com processehcprofiler(a)amer.company.com
>
> that it works. As confirmed by 'sssctl user-checks processehcprofiler'
>
> I notice my "domain" entries in /etc/sssd/sssd.conf file are all lower
> case:
>
> domains =
amer.company.com,apac.company.com,emea.company.com,
>
japn.company.com
> ...
> [
domain/amer.company.com]
> ad_domain =
amer.company.com
> ...
> [
domain/apac.company.com]
> ad_domain =
apac.company.com
> ...
> [
domain/emea.company.com]
> ad_domain =
emea.company.com
> ...
> [
domain/japn.company.com]
> ad_domain =
japn.company.com
> ...
>
> I'm used to Kerberos where domain names are uc and account names are lc.
> So to do:
>
> realm permit -R
AMER.COMPANY.COM processehcprofiler(a)AMER.COMPANY.COM
>
> I have to re-write all the domain names in my sssd.conf file to uc?
>
> Spike
>
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...