Hello, We have an IPA (4.2) server setup on RHEL 7.2 in a trust arrangement with our University organisational AD. The AD forest contains *two* domains:
EXAMPLE.AU (staff users) STUDENT.EXAMPLE.AU (student users) The IPA domain that trusts these is called: IPA.EXAMPLE.AU The basic configuration as described above works ok - we can login to IPA client hosts with user principals from either of the AD domains and we see correct group membership. However, I would like to tune this configuration to drop the domain component of the user and group names. I tried to do this by adding these settings to the [sssd] section in sssd.conf on the client: default_domain_suffix = example.au full_name_format = %1$s With this configuration, I can login as a staff domain user (example.au) successfully and I then see the short-name form of the groups: $ ssh -l r...@example.au ipa-client-rh7.ipa.example.au [rns@ipa-client-rh7 ~]$ groups rns domain users d-750g 511all [..etc..] However, when I try logging in as a student domain user (student.example.au), I don't see any of the groups (there should be 8): $ ssh -l r...@student.example.au ipa-client-rh7.ipa.example.au [rnst@ipa-client-rh7 ~]$ groups rnst Is this expected behaviour? Is there a possible client configuration that will support our AD forest setup or is this simply not possible? Regards, Robert. Complete client sssd.conf: --------------------------------- [domain/ipa.example.au] cache_credentials = True krb5_store_password_if_offline = True ipa_domain = ipa.example.au id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = ipa-client-rh7.ipa.example.au chpass_provider = ipa ipa_server = _srv_, matilda3.ipa.example.au ldap_tls_cacert = /etc/ipa/ca.crt [sssd] services = nss, sudo, pam, ssh config_file_version = 2 domains = ipa.example.au default_domain_suffix = example.au full_name_format = %1$s [nss] homedir_substring = /home override_shell = /bin/bash [pam] [sudo] [autofs] [ssh] [pac] [ifp] -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project