<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<tt>On 09/06/2016 07:02 AM, Jim Richard wrote:</tt><tt><br>
</tt>
<blockquote
cite="mid:580F08AF-318A-460A-8441-89BAD1F0196B@placeiq.com"
type="cite"><tt>So I have two-way trust setup and it seems to
work.</tt><tt><br class="">
</tt><tt><br class="">
</tt><tt>And as described here: </tt><tt><a moz-do-not-send="true"
href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-ssh.html"
class="">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-ssh.html</a></tt><tt><br
class="">
</tt><tt><br class="">
</tt><tt>SSSD allows user names in the
format <a class="moz-txt-link-abbreviated" href="mailto:user@AD.DOMAIN">user@AD.DOMAIN</a>, ad.domain\user and AD\user</tt><tt><br
class="">
</tt><tt><br class="">
</tt><tt>That works just as described.</tt><tt><br class="">
</tt><tt><br class="">
</tt><tt>I have two domains/realms
- idm.placeiq.net and idm-ad.placeiq.net, the second being the
Active Directory domain.</tt><tt><br class="">
</tt><tt><br class="">
</tt><tt>My desire is to have AD be the source for all
user/authentication - the AD users will use their creds to ssh
in to all of the Centos hosts in the idm.placeiq.net domain.</tt><tt><br
class="">
</tt><tt><br class="">
</tt><tt>The hosts that live in IDM are a combination of Centos
6.8 and 7.X hosts.</tt><tt><br class="">
</tt><tt><br class="">
</tt><tt>How can I make it so a user does not have to:</tt><tt><br
class="">
</tt><tt><br class="">
</tt><tt>ssh 'IDM-AD\Administrator’@hostname or ssh
<a class="moz-txt-link-abbreviated" href="mailto:Administrator@idm-ad.placeiq.net@hostname">Administrator@idm-ad.placeiq.net@hostname</a></tt><tt><br class="">
</tt><tt><br class="">
</tt><tt>Instead when I say Administrator@hostname it
auto-magically knows I mean "ssh
<a class="moz-txt-link-abbreviated" href="mailto:Administrator@idm-ad.placeiq.net@10.1.41.202">Administrator@idm-ad.placeiq.net@10.1.41.202</a></tt><tt><br
class="">
</tt><tt><br class="">
</tt><tt>I’ve tried modifiying krb5.conf as such but it seems like
I’m missing a step.</tt><tt><br class="">
</tt><tt><br class="">
</tt>
<div class=""><tt>[libdefaults]
</tt></div>
<div class=""><tt> #default_realm = IDM.PLACEIQ.NET
</tt></div>
<div class=""><tt> default_realm = IDM-AD.PLACEIQ.NET</tt></div>
<div class=""><tt><br class="">
</tt></div>
<div class=""><tt><br class="">
</tt></div>
<tt>I think my clients use the localauth plugin but I’m not
entirely sure. If so, how can I configure its behavior?</tt><tt><br
class="">
</tt><tt><br class="">
</tt><tt><br class="">
</tt><tt><br class="">
</tt><tt><br class="">
</tt>
<div class=""><tt><img moz-do-not-send="true"
src="https://ci3.googleusercontent.com/proxy/tFn1I-GEOnccUtv8DHHEc49-6g3x3CbuQKzbfl2Z1BObEy0Qz6QebJimpP96TK3Za5MXwXTuwBZaobKp22nYAG3NdxAC0Q=s0-d-e1-ft#https://marketing.placeiq.net/images/placeiq.png"
alt="" style="width: 80px;" class=""></tt><tt><span class="Apple-tab-span" style="white-space:pre"> </span></tt><tt>Jim
Richard</tt><tt><span class="Apple-tab-span" style="white-space:pre"> </span></tt><tt><img
moz-do-not-send="true"
src="https://ci4.googleusercontent.com/proxy/490PXYv9O6OiIp_DL4vuabJqVn53fMon5xNYZdftCVea9ySR2LcFDHe6Cdntb2G68uDAuA6FgLny8wKWLFWpsrPAt_FtLaE=s0-d-e1-ft#https://marketing.placeiq.net/images/twitter1.png"
alt="" style="width: 35px;" class=""></tt><tt><span class="Apple-tab-span" style="white-space:pre"> </span></tt><tt><img
moz-do-not-send="true"
src="https://ci3.googleusercontent.com/proxy/fztHf1lRKLQYcAxebqfp2PYXCwVap3GobHVIbyp0j3NcuJOY16bUAZBibVOFf-fd1GsiuhrOfYy6dSwhlCwWU8ZUlw9OX5I=s0-d-e1-ft#https://marketing.placeiq.net/images/facebook.png"
alt="" style="width: 35px;" class=""></tt><tt><span class="Apple-tab-span" style="white-space:pre"> </span></tt><tt><img
moz-do-not-send="true"
src="https://ci5.googleusercontent.com/proxy/H26ThD7R6DOqxoLTgzi6k5SMrHoF2Tj44xI_7XlD9KfOIiGwe1WIMc5iQBxUBA9EuIyJMdaRXrhZTOrnkrn8O9Rf1FP9UQU=s0-d-e1-ft#https://marketing.placeiq.net/images/linkedin.png"
alt="" style="width: 35px;" class=""></tt><tt><br class="">
</tt><tt>SYSTEM ADMINISTRATOR III</tt><tt><br class="">
</tt><tt>(646) 338-8905 </tt><tt><br class="">
</tt><tt><br class="">
</tt><tt><img moz-do-not-send="true"
src="https://ci4.googleusercontent.com/proxy/Xqk1hkB7_SIclVudOCHTV4jF9HPS8rkm5ra85H3FdxdydnNjbFxrkPYiZpJiyPlJR_2zweGqjJ4dD1Ei6RoSWk09h_iYqQQ2w6KGm9Rp9RvSwhQH2RGkEAq_3Q=s0-d-e1-ft#https://marketing.placeiq.net/images/LocationDataAccuracy-V1.1-01.png"
alt="PlaceIQ:Location Data Accuracy" style="float: left;"
class=""></tt><tt><br class="">
</tt><tt><br class="">
</tt><tt><br class="">
</tt></div>
<tt><br class="">
</tt>
<tt><br>
</tt>
<fieldset class="mimeAttachmentHeader"></fieldset>
<tt><br>
</tt>
</blockquote>
<tt>I don't think what you're asking for is possible to do as a
FreeIPA configuration. The documentation describes how to login
without prompting for passwords, but I think it is still necessary
to provide the username with AD realm when logging in.<br>
<br>
If you're always logging in as the same user to certain machines,
you could configure a default user in the ssh_config.<br>
<br>
Perhaps someone else will have a better answer.<br>
</tt>
<pre class="moz-signature" cols="72">--
Tomas Krizek</pre>
</body>
</html>