[Freeipa-users] [SSSD] default_domain_suffix breaks IPA user logins
nathan at nathanpeters.com
nathan at nathanpeters.com
Wed Feb 25 21:51:20 UTC 2015
> On Wed, Feb 25, 2015 at 12:11:10PM -0800, nathan at nathanpeters.com wrote:
>> FreeIPA Server 4.1.2
>> FreeIPA client 3.0.0-42
>>
>> I'm not sure how to go about fixing this or working around it.
>>
>> In our organization we have a trust relationship between
>> ad.somedomain.net
>> and ipadomain.net.
>>
>> We don't want our AD users having to type username at ad.somedomain.net
>> when
>> logging in to an IPA machine so we have added
>> default_domain_suffix = ad.somedomain.net to the [sssd] section of
>> sssd.conf.
>>
>> This works great when logging in with an AD user. I can login using
>> 'username' and they end up with the proper shell and home directory
>> /home/ad.somedomain.net/username etc.
>>
>> However, when I try to login with an IPA user using the username
>> ipauser at ipadomain.net I am just disconnected. Removing the
>> default_domain_suffix line immediately fixes , but then we lose the
>> ability to login with AD users just typing their username.
>>
>> Does anyone know how to fix this / workaround it so we can use the
>> default_domain_suffix option and not break internal FreeIPA user logins?
>
> Known issue:
> https://fedorahosted.org/sssd/ticket/2569
>
> I just acked a patch by Michal Zidek that fixes the problem. In the
> meantime,
> you can set:
> use_fully_qualified_names = True
> in the [domain] section.
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go To http://freeipa.org for more info on the project
>
Thank you. I have confirmed that adding use_fully_qualified_names = true
to my sssd conf file allows both FreeIPA and AD users to login :)
More information about the Freeipa-users
mailing list