[Freeipa-users] IPA-AD trust group membership: display 'short' group names for two AD domains?

Mon Oct 24 17:03:15 UTC 2016

On Mon, Oct 24, 2016 at 11:29:06AM -0400, William Muriithi wrote:
> Morning Jakub,
> 
> >>  However, I would like to tune this configuration to drop the domain
> >>  component of the user and group names.  I tried to do this by adding
> >>  these settings to the [sssd] section in sssd.conf on the client:
> >>
> >>    default_domain_suffix = example.au
> >>     full_name_format = %1$s
> >>
> >>  With this configuration, I can login as a staff domain user (example.au)
> >> successfully and I then see the short-name form of the groups:
> >>
> >>     $ ssh -l rnst at student.example.au ipa-client-rh7.ipa.example.au
> >>     [rnst at ipa-client-rh7 ~]$ groups
> >>     rnst
> >>
> >> Is this expected behaviour?  Is there a possible client configuration that
> >> will support our AD forest setup or is this simply not possible?
> >
> > What you did is quite correct, but unfortunately works only with
> > RHEL-7.3 or newer as it requires sssd-1.14 or newer, sorry.
> 
> Does one need  sssd-1.14 on the IPA server only or is this required on
> all the IPA clients too?

I haven't tested since I was working in this area, but I belive the clients
as well.

[Freeipa-users] IPA-AD trust group membership: display 'short' group names for *two* AD domains?

[Freeipa-users] IPA-AD trust group membership: display 'short' group names for two AD domains?