[Freeipa-users] IPA-AD trust group membership: display 'short' group names for *two* AD domains?

Robert Sturrock rns at unimelb.edu.au
Thu Oct 20 05:46:01 UTC 2016 

Hello,

We have an IPA (4.2) server setup on RHEL 7.2 in a trust arrangement with
our University organisational AD.  The AD forest contains *two*
domains:

  EXAMPLE.AU (staff users)
  STUDENT.EXAMPLE.AU (student users)

The IPA domain that trusts these is called:

  IPA.EXAMPLE.AU

The basic configuration as described above works ok - we can login to
IPA client hosts with user principals from either of the AD domains
and we see correct group membership.

However, I would like to tune this configuration to drop the domain
component of the user and group names.  I tried to do this by adding
these settings to the [sssd] section in sssd.conf on the client:

    default_domain_suffix = example.au
    full_name_format = %1$s

With this configuration, I can login as a staff domain user (example.au)
successfully and I then see the short-name form of the groups:

    $ ssh -l rns at example.au ipa-client-rh7.ipa.example.au
    [rns at ipa-client-rh7 ~]$ groups
    rns domain users d-750g 511all [..etc..]

However, when I try logging in as a student domain user (student.example.au),
I don't see any of the groups (there should be 8):

    $ ssh -l rnst at student.example.au ipa-client-rh7.ipa.example.au
    [rnst at ipa-client-rh7 ~]$ groups
    rnst

Is this expected behaviour?  Is there a possible client configuration that
will support our AD forest setup or is this simply not possible?

Regards,

Robert.

Complete client sssd.conf:
---------------------------------

[domain/ipa.example.au]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = ipa.example.au
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipa-client-rh7.ipa.example.au
chpass_provider = ipa
ipa_server = _srv_, matilda3.ipa.example.au
ldap_tls_cacert = /etc/ipa/ca.crt

[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2
domains = ipa.example.au
default_domain_suffix = example.au
full_name_format = %1$s

[nss]
homedir_substring = /home
override_shell = /bin/bash

[pam]

[sudo]

[autofs]

[ssh]

[pac]

[ifp]

More information about the Freeipa-users mailing list