[Freeipa-users] IPA AD Trust issue
Jakub Hrozek
jhrozek at redhat.com
Wed Sep 11 07:42:26 UTC 2013
> >1) IPA Client Login issue.
> >In IPA client, if Windows AD user want to login, It need to type full name
> >such as 'userA at win_ad.com'. How do I let Windows AD user logon only with
> >their username? That means only use 'userA' to logon IPA Client PC rather
> >than 'userA at win_ad.com' ?
> Not supported. There could be some obscure SSSD setting to allow one
> SSSD domain (as in /etc/sss/sssd.conf) be default but since trusted AD
> domains are represented as subdomains of a single IPA provider, full UPN is
> used to distinguish and discover which subdomain they belong to for
> performance reasons.
Actually you can use "default_domain_suffix" in the [sssd] section. But
then you need to fully-qualify the users from the IPA domain.
default_domain_suffix (string)
This string will be used as a default domain name for all names without a
domain name component. The main use case is environments where the primary
domain is intended for managing host policies and all users are located in a
trusted domain. The option allows those users to log in just with their user
name without giving a domain name as well.
Please note that if this option is set all users from the primary domain have
to use their fully qualified name, e.g. user at domain.name, to log in.
Default: not set
More information about the Freeipa-users
mailing list