<html> <head> <meta content="text/html; charset=windows-1252" http-equiv="Content-Type"> </head> <body bgcolor="#FFFFFF" text="#000000"> <tt>On 09/06/2016 07:02 AM, Jim Richard wrote:</tt><tt><br> </tt> <blockquote cite="mid:580F08AF-318A-460A-8441-89BAD1F0196B@placeiq.com" type="cite"><tt>So I have two-way trust setup and it seems to work.</tt><tt><br class=""> </tt><tt><br class=""> </tt><tt>And as described here: </tt><tt><a moz-do-not-send="true" href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-ssh.html" class="">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-ssh.html</a></tt><tt><br class=""> </tt><tt><br class=""> </tt><tt>SSSD allows user names in the format <a class="moz-txt-link-abbreviated" href="mailto:user@AD.DOMAIN">user@AD.DOMAIN</a>, ad.domain\user and AD\user</tt><tt><br class=""> </tt><tt><br class=""> </tt><tt>That works just as described.</tt><tt><br class=""> </tt><tt><br class=""> </tt><tt>I have two domains/realms - idm.placeiq.net and idm-ad.placeiq.net, the second being the Active Directory domain.</tt><tt><br class=""> </tt><tt><br class=""> </tt><tt>My desire is to have AD be the source for all user/authentication - the AD users will use their creds to ssh in to all of the Centos hosts in the idm.placeiq.net domain.</tt><tt><br class=""> </tt><tt><br class=""> </tt><tt>The hosts that live in IDM are a combination of Centos 6.8 and 7.X hosts.</tt><tt><br class=""> </tt><tt><br class=""> </tt><tt>How can I make it so a user does not have to:</tt><tt><br class=""> </tt><tt><br class=""> </tt><tt>ssh 'IDM-AD\Administrator’@hostname or ssh <a class="moz-txt-link-abbreviated" href="mailto:Administrator@idm-ad.placeiq.net@hostname">Administrator@idm-ad.placeiq.net@hostname</a></tt><tt><br class=""> </tt><tt><br class=""> </tt><tt>Instead when I say Administrator@hostname it auto-magically knows I mean "ssh <a class="moz-txt-link-abbreviated" href="mailto:Administrator@idm-ad.placeiq.net@10.1.41.202">Administrator@idm-ad.placeiq.net@10.1.41.202</a></tt><tt><br class=""> </tt><tt><br class=""> </tt><tt>I’ve tried modifiying krb5.conf as such but it seems like I’m missing a step.</tt><tt><br class=""> </tt><tt><br class=""> </tt> <div class=""><tt>[libdefaults] </tt></div> <div class=""><tt> #default_realm = IDM.PLACEIQ.NET </tt></div> <div class=""><tt> default_realm = IDM-AD.PLACEIQ.NET</tt></div> <div class=""><tt><br class=""> </tt></div> <div class=""><tt><br class=""> </tt></div> <tt>I think my clients use the localauth plugin but I’m not entirely sure. If so, how can I configure its behavior?</tt><tt><br class=""> </tt><tt><br class=""> </tt><tt><br class=""> </tt><tt><br class=""> </tt><tt><br class=""> </tt> <div class=""><tt><img moz-do-not-send="true" src="https://ci3.googleusercontent.com/proxy/tFn1I-GEOnccUtv8DHHEc49-6g3x3CbuQKzbfl2Z1BObEy0Qz6QebJimpP96TK3Za5MXwXTuwBZaobKp22nYAG3NdxAC0Q=s0-d-e1-ft#https://marketing.placeiq.net/images/placeiq.png" alt="" style="width: 80px;" class=""></tt><tt><span class="Apple-tab-span" style="white-space:pre"> </span></tt><tt>Jim Richard</tt><tt><span class="Apple-tab-span" style="white-space:pre"> </span></tt><tt><img moz-do-not-send="true" src="https://ci4.googleusercontent.com/proxy/490PXYv9O6OiIp_DL4vuabJqVn53fMon5xNYZdftCVea9ySR2LcFDHe6Cdntb2G68uDAuA6FgLny8wKWLFWpsrPAt_FtLaE=s0-d-e1-ft#https://marketing.placeiq.net/images/twitter1.png" alt="" style="width: 35px;" class=""></tt><tt><span class="Apple-tab-span" style="white-space:pre"> </span></tt><tt><img moz-do-not-send="true" src="https://ci3.googleusercontent.com/proxy/fztHf1lRKLQYcAxebqfp2PYXCwVap3GobHVIbyp0j3NcuJOY16bUAZBibVOFf-fd1GsiuhrOfYy6dSwhlCwWU8ZUlw9OX5I=s0-d-e1-ft#https://marketing.placeiq.net/images/facebook.png" alt="" style="width: 35px;" class=""></tt><tt><span class="Apple-tab-span" style="white-space:pre"> </span></tt><tt><img moz-do-not-send="true" src="https://ci5.googleusercontent.com/proxy/H26ThD7R6DOqxoLTgzi6k5SMrHoF2Tj44xI_7XlD9KfOIiGwe1WIMc5iQBxUBA9EuIyJMdaRXrhZTOrnkrn8O9Rf1FP9UQU=s0-d-e1-ft#https://marketing.placeiq.net/images/linkedin.png" alt="" style="width: 35px;" class=""></tt><tt><br class=""> </tt><tt>SYSTEM ADMINISTRATOR III</tt><tt><br class=""> </tt><tt>(646) 338-8905 </tt><tt><br class=""> </tt><tt><br class=""> </tt><tt><img moz-do-not-send="true" src="https://ci4.googleusercontent.com/proxy/Xqk1hkB7_SIclVudOCHTV4jF9HPS8rkm5ra85H3FdxdydnNjbFxrkPYiZpJiyPlJR_2zweGqjJ4dD1Ei6RoSWk09h_iYqQQ2w6KGm9Rp9RvSwhQH2RGkEAq_3Q=s0-d-e1-ft#https://marketing.placeiq.net/images/LocationDataAccuracy-V1.1-01.png" alt="PlaceIQ:Location Data Accuracy" style="float: left;" class=""></tt><tt><br class=""> </tt><tt><br class=""> </tt><tt><br class=""> </tt></div> <tt><br class=""> </tt> <tt><br> </tt> <fieldset class="mimeAttachmentHeader"></fieldset> <tt><br> </tt> </blockquote> <tt>I don't think what you're asking for is possible to do as a FreeIPA configuration. The documentation describes how to login without prompting for passwords, but I think it is still necessary to provide the username with AD realm when logging in.<br> <br> If you're always logging in as the same user to certain machines, you could configure a default user in the ssh_config.<br> <br> Perhaps someone else will have a better answer.<br> </tt> <pre class="moz-signature" cols="72">-- Tomas Krizek</pre> </body> </html>