[Freeipa-users] IPA HBAC access using SSSD for user in trusted AD domain (RHEL 6.8)
Jakub Hrozek
jhrozek at redhat.com
Fri Jul 15 12:12:02 UTC 2016
On Fri, Jul 15, 2016 at 12:00:56PM +0000, Sullivan, Daniel [AAA] wrote:
> Lukas,
>
> Thank you for your reply and inquiry.
>
> First, to answer your question; yes, we have been using the default_domain_suffix for some time. I am not sure what you mean by previously, but it is currently implemented and has been implemented prior to our 1.13 -> 1.14 upgrade.
>
> And yes, I am assessing a possible software regression at the
> current moment. It might be related to the default_domain_suffix
> you are inquiring about. Basically I am getting inconsistent
> results on invocation of the id command with specifying the username
> as ‘username’ or ‘username at fqdn’ on a client running 1.14
> against a DC running 1.13 (i.e. no way to reliably invoke id against a
> trusted domain account). Sometimes the command will return a result,
> and sometimes it will not.
No result or missing groups?
> Looking at nss debug logs it appears that
> a duplicate fqdn is being appended to the nss query as show here (as
> @bsdad.uchicago.edu at bsdad.uchicago.edu<mailto:bsdad.uchicago.edu at bsdad.uchicago.edu>).
> This lookup fails.
Yes, this is wrong, can you send me the full NSS and domain logs please?
More information about the Freeipa-users
mailing list