[Freeipa-users] IPA-AD trust group membership: display 'short' group names for *two* AD domains?

[Jakub Hrozek]

On Thu, Oct 20, 2016 at 04:46:01PM +1100, Robert Sturrock wrote:
> Hello,
> 
> We have an IPA (4.2) server setup on RHEL 7.2 in a trust arrangement with
> our University organisational AD.  The AD forest contains *two*
> domains:
> 
>   EXAMPLE.AU (staff users)
>   STUDENT.EXAMPLE.AU (student users)
> 
> The IPA domain that trusts these is called:
> 
>   IPA.EXAMPLE.AU
> 
> The basic configuration as described above works ok - we can login to
> IPA client hosts with user principals from either of the AD domains
> and we see correct group membership.
> 
> However, I would like to tune this configuration to drop the domain
> component of the user and group names.  I tried to do this by adding
> these settings to the [sssd] section in sssd.conf on the client:
> 
>     default_domain_suffix = example.au
>     full_name_format = %1$s
> 
> With this configuration, I can login as a staff domain user (example.au)
> successfully and I then see the short-name form of the groups:
> 
>     $ ssh -l rns at example.au ipa-client-rh7.ipa.example.au
>     [rns at ipa-client-rh7 ~]$ groups
>     rns domain users d-750g 511all [..etc..]
> 
> However, when I try logging in as a student domain user (student.example.au),
> I don't see any of the groups (there should be 8):
> 
>     $ ssh -l rnst at student.example.au ipa-client-rh7.ipa.example.au
>     [rnst at ipa-client-rh7 ~]$ groups
>     rnst
> 
> Is this expected behaviour?  Is there a possible client configuration that
> will support our AD forest setup or is this simply not possible?

What you did is quite correct, but unfortunately works only with
RHEL-7.3 or newer as it requires sssd-1.14 or newer, sorry.