[Freeipa-users] ad trust and default_domain_suffix

Nicolas Zin nicolas.zin at savoirfairelinux.com
Thu Dec 4 21:53:00 UTC 2014 

I answer to myself. (but my problem is not resolved)

> ----- Mail original -----
> De: "Nicolas Zin" <nicolas.zin at savoirfairelinux.com>
> À: freeipa-users at redhat.com
> Envoyé: Jeudi 4 Décembre 2014 18:49:36
> Objet: [Freeipa-users] ad trust and default_domain_suffix
> 
> Hi,
> 
> I have a IDM (v3.3) installed on a Redhat7.
> I have a IDM realm connected to an AD via trust relationship.
> In the IDM realm there are Redhat6 and Redhat5 clients.
> 
> 
> My client ask to be able to connect to the Linux machine with their AD without entering their domain (just username). On Redhat 6 there is an option for sssd (default_domain_suffix=)
> Seems to be exactly what I need, but I have a problem. If I use this option, I can indeed login with my AD username with domain name, but I cannot login with my Linux IDM username anymore, even if I use my fully qualified username at realm. i.e. In the middle of the PAM authentication it seems to fails (when ssh to the machine with ssh <server> -l admin@<realm>, I get Write failed: Broken pipe). If needed I can send more logs.
> 
> I reproduce the problem in a more simple environment: just a Linux realm, and default_domain_suffix set to a inexistant domain, and again I cannot ssh to my server with my fully qualified username at realm

so when I try to do "ssh localhost -l admin at idm1" (idm is my domain name),
in the /var/log/sssd/sssd_nss.log I find:
...
(Wed Dec  3 22:44:43 2014) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [admin at idm1]
(Wed Dec  3 22:44:43 2014) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [admin] from [idm1]
(Wed Dec  3 22:44:43 2014) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [admin at idm1]
(Wed Dec  3 22:44:43 2014) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [admin] from [idm1]
(Wed Dec  3 22:44:43 2014) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [admin at idm1]
(Wed Dec  3 22:44:43 2014) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [admin] from [idm1]
(Wed Dec  3 22:44:43 2014) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [admin at idm1]
(Wed Dec  3 22:44:43 2014) [sssd[nss]] [nss_cmd_getbynam] (0x0100): Requesting info for [admin] from [idm1]
(Wed Dec  3 22:44:43 2014) [sssd[nss]] [nss_cmd_getpwnam_search] (0x0100): Requesting info for [admin at idm1]
(Wed Dec  3 22:44:43 2014) [sssd[nss]] [nss_cmd_getbynam_done] (0x0040): Invalid name received [admin]


So it seems to be a problem with nss not able to find my user.
Indeed, if I do a "getent passwd admin" it doesn't show anything, but if I do a "getent passwd admin at idm1" it works.

I found a "workardound":
getent passwd admin at idm1 >> /etc/passwd


Now I can ssh to my server:
ssh localhost -l admin at idm1



Is it a bug? is there a better "workaround"?


Regards,

More information about the Freeipa-users mailing list