sssd-2.5.1-2.el8
With a files domain and an ldap domain in simplified form below then all works well for me and passwd files are checked and win before ldap entries.
However as soon as `default_domain_suffix = mydomain.ch` is added then all the password entries never match since it is presumably looking up `<username>@mydomain.ch`. While I can understand that this may make sense is there a way forward to continue to look up in shadowutils domain by username only.
I am unsure of default_domain_suffix only appends the suffix or actually forces the lookup to only happen to the mydomain.ch ldap domain.
``` [sssd] domains = shadowutils, mydomain.ch
[domain/shadowutils] id_provider = files
full_name_format = %1$s
auth_provider = proxy proxy_pam_target = sssd-shadowutils
proxy_fast_alias = True
[domain/mydomain.ch] id_provider = ldap full_name_format = %1$s ``` Many Thanks
Steve Traylen.
Hi Steve,
Referring to sssd.conf man page: default_domain_suffix (string) This string will be used as a default domain name for all names without a domain name component. The main use case is environments where the primary domain is intended for managing host policies and all users are located in a trusted domain. The option allows those users to log in just with their user name without giving a domain name as well.
Please note that if this option is set all users from the primary domain have to use their fully qualified name, e.g. user@domain.name, to log in When you have default_domain_suffix set all user queries based on username only will land there. Alternatively you will have to use a fully qualified user name (user@domain) to explicite point to the domain you want to query. Please take a look at another sssd.conf option which may be useful for your scenario: domain_resolution_order.
Best regards, Pawel
On Mon, Jul 19, 2021 at 2:34 PM Steve Traylen < stevetraylen@fedoraproject.org> wrote:
sssd-2.5.1-2.el8
With a files domain and an ldap domain in simplified form below then all works well for me and passwd files are checked and win before ldap entries.
However as soon as `default_domain_suffix = mydomain.ch` is added then all the password entries never match since it is presumably looking up `<username>@mydomain.ch`. While I can understand that this may make sense is there a way forward to continue to look up in shadowutils domain by username only.
I am unsure of default_domain_suffix only appends the suffix or actually forces the lookup to only happen to the mydomain.ch ldap domain.
[sssd] domains = shadowutils, mydomain.ch [domain/shadowutils] id_provider = files full_name_format = %1$s auth_provider = proxy proxy_pam_target = sssd-shadowutils proxy_fast_alias = True [domain/mydomain.ch] id_provider = ldap full_name_format = %1$sMany Thanks
Steve Traylen. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
On Mon, Jul 19, 2021 at 2:34 PM Steve Traylen stevetraylen@fedoraproject.org wrote:
sssd-2.5.1-2.el8
With a files domain and an ldap domain in simplified form below then all works well for me and passwd files are checked and win before ldap entries.
However as soon as `default_domain_suffix = mydomain.ch` is added then all the password entries never match since it is presumably looking up `<username>@mydomain.ch`.
If you don't have any specific reason to use SSSD' "files domain", you can just disable it and let libnss_files.so handle local users: - sssd.conf: enable_files_domain=false - /etc/nsswitch.conf: change order to "files sss ..." in passwd/groups
While I can understand that this may make sense is there a way forward to continue to look up in shadowutils domain by username only.
I am unsure of default_domain_suffix only appends the suffix or actually forces the lookup to only happen to the mydomain.ch ldap domain.
[sssd] domains = shadowutils, mydomain.ch [domain/shadowutils] id_provider = files full_name_format = %1$s auth_provider = proxy proxy_pam_target = sssd-shadowutils proxy_fast_alias = True [domain/mydomain.ch] id_provider = ldap full_name_format = %1$sMany Thanks
Steve Traylen. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
sssd-users@lists.fedorahosted.org
-
Alexey Tikhonov -
Pawel Polawski -
Steve Traylen