On Wed, Feb 25, 2015 at 12:11:10PM -0800, nat...@nathanpeters.com wrote: > FreeIPA Server 4.1.2 > FreeIPA client 3.0.0-42 > > I'm not sure how to go about fixing this or working around it. > > In our organization we have a trust relationship between ad.somedomain.net > and ipadomain.net. > > We don't want our AD users having to type usern...@ad.somedomain.net when > logging in to an IPA machine so we have added > default_domain_suffix = ad.somedomain.net to the [sssd] section of > sssd.conf. > > This works great when logging in with an AD user. I can login using > 'username' and they end up with the proper shell and home directory > /home/ad.somedomain.net/username etc. > > However, when I try to login with an IPA user using the username > ipau...@ipadomain.net I am just disconnected. Removing the > default_domain_suffix line immediately fixes , but then we lose the > ability to login with AD users just typing their username. > > Does anyone know how to fix this / workaround it so we can use the > default_domain_suffix option and not break internal FreeIPA user logins?
Known issue: https://fedorahosted.org/sssd/ticket/2569 I just acked a patch by Michal Zidek that fixes the problem. In the meantime, you can set: use_fully_qualified_names = True in the [domain] section. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project