[Freeipa-users] IPA-AD trust group membership: display 'short' group names for *two* AD domains?
Jakub Hrozek
jhrozek at redhat.com
Thu Oct 20 07:22:38 UTC 2016
On Thu, Oct 20, 2016 at 04:46:01PM +1100, Robert Sturrock wrote:
> Hello,
>
> We have an IPA (4.2) server setup on RHEL 7.2 in a trust arrangement with
> our University organisational AD. The AD forest contains *two*
> domains:
>
> EXAMPLE.AU (staff users)
> STUDENT.EXAMPLE.AU (student users)
>
> The IPA domain that trusts these is called:
>
> IPA.EXAMPLE.AU
>
> The basic configuration as described above works ok - we can login to
> IPA client hosts with user principals from either of the AD domains
> and we see correct group membership.
>
> However, I would like to tune this configuration to drop the domain
> component of the user and group names. I tried to do this by adding
> these settings to the [sssd] section in sssd.conf on the client:
>
> default_domain_suffix = example.au
> full_name_format = %1$s
>
> With this configuration, I can login as a staff domain user (example.au)
> successfully and I then see the short-name form of the groups:
>
> $ ssh -l rns at example.au ipa-client-rh7.ipa.example.au
> [rns at ipa-client-rh7 ~]$ groups
> rns domain users d-750g 511all [..etc..]
>
> However, when I try logging in as a student domain user (student.example.au),
> I don't see any of the groups (there should be 8):
>
> $ ssh -l rnst at student.example.au ipa-client-rh7.ipa.example.au
> [rnst at ipa-client-rh7 ~]$ groups
> rnst
>
> Is this expected behaviour? Is there a possible client configuration that
> will support our AD forest setup or is this simply not possible?
What you did is quite correct, but unfortunately works only with
RHEL-7.3 or newer as it requires sssd-1.14 or newer, sorry.
More information about the Freeipa-users
mailing list