[Freeipa-users] IPA-AD trust group membership: display 'short' group names for *two* AD domains?
Robert Sturrock
rns at unimelb.edu.au
Thu Oct 20 05:46:01 UTC 2016
Hello,
We have an IPA (4.2) server setup on RHEL 7.2 in a trust arrangement with
our University organisational AD. The AD forest contains *two*
domains:
EXAMPLE.AU (staff users)
STUDENT.EXAMPLE.AU (student users)
The IPA domain that trusts these is called:
IPA.EXAMPLE.AU
The basic configuration as described above works ok - we can login to
IPA client hosts with user principals from either of the AD domains
and we see correct group membership.
However, I would like to tune this configuration to drop the domain
component of the user and group names. I tried to do this by adding
these settings to the [sssd] section in sssd.conf on the client:
default_domain_suffix = example.au
full_name_format = %1$s
With this configuration, I can login as a staff domain user (example.au)
successfully and I then see the short-name form of the groups:
$ ssh -l rns at example.au ipa-client-rh7.ipa.example.au
[rns at ipa-client-rh7 ~]$ groups
rns domain users d-750g 511all [..etc..]
However, when I try logging in as a student domain user (student.example.au),
I don't see any of the groups (there should be 8):
$ ssh -l rnst at student.example.au ipa-client-rh7.ipa.example.au
[rnst at ipa-client-rh7 ~]$ groups
rnst
Is this expected behaviour? Is there a possible client configuration that
will support our AD forest setup or is this simply not possible?
Regards,
Robert.
Complete client sssd.conf:
---------------------------------
[domain/ipa.example.au]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = ipa.example.au
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = ipa-client-rh7.ipa.example.au
chpass_provider = ipa
ipa_server = _srv_, matilda3.ipa.example.au
ldap_tls_cacert = /etc/ipa/ca.crt
[sssd]
services = nss, sudo, pam, ssh
config_file_version = 2
domains = ipa.example.au
default_domain_suffix = example.au
full_name_format = %1$s
[nss]
homedir_substring = /home
override_shell = /bin/bash
[pam]
[sudo]
[autofs]
[ssh]
[pac]
[ifp]
More information about the Freeipa-users
mailing list