[Freeipa-users] [SSSD] default_domain_suffix breaks IPA user logins
Jakub Hrozek
jhrozek at redhat.com
Wed Feb 25 21:16:37 UTC 2015
On Wed, Feb 25, 2015 at 12:11:10PM -0800, nathan at nathanpeters.com wrote:
> FreeIPA Server 4.1.2
> FreeIPA client 3.0.0-42
>
> I'm not sure how to go about fixing this or working around it.
>
> In our organization we have a trust relationship between ad.somedomain.net
> and ipadomain.net.
>
> We don't want our AD users having to type username at ad.somedomain.net when
> logging in to an IPA machine so we have added
> default_domain_suffix = ad.somedomain.net to the [sssd] section of
> sssd.conf.
>
> This works great when logging in with an AD user. I can login using
> 'username' and they end up with the proper shell and home directory
> /home/ad.somedomain.net/username etc.
>
> However, when I try to login with an IPA user using the username
> ipauser at ipadomain.net I am just disconnected. Removing the
> default_domain_suffix line immediately fixes , but then we lose the
> ability to login with AD users just typing their username.
>
> Does anyone know how to fix this / workaround it so we can use the
> default_domain_suffix option and not break internal FreeIPA user logins?
Known issue:
https://fedorahosted.org/sssd/ticket/2569
I just acked a patch by Michal Zidek that fixes the problem. In the meantime,
you can set:
use_fully_qualified_names = True
in the [domain] section.
More information about the Freeipa-users
mailing list