On Thu, Oct 20, 2016 at 04:46:01PM +1100, Robert Sturrock wrote: > Hello, > > We have an IPA (4.2) server setup on RHEL 7.2 in a trust arrangement with > our University organisational AD. The AD forest contains *two* > domains: > > EXAMPLE.AU (staff users) > STUDENT.EXAMPLE.AU (student users) > > The IPA domain that trusts these is called: > > IPA.EXAMPLE.AU > > The basic configuration as described above works ok - we can login to > IPA client hosts with user principals from either of the AD domains > and we see correct group membership. > > However, I would like to tune this configuration to drop the domain > component of the user and group names. I tried to do this by adding > these settings to the [sssd] section in sssd.conf on the client: > > default_domain_suffix = example.au > full_name_format = %1$s > > With this configuration, I can login as a staff domain user (example.au) > successfully and I then see the short-name form of the groups: > > $ ssh -l r...@example.au ipa-client-rh7.ipa.example.au > [rns@ipa-client-rh7 ~]$ groups > rns domain users d-750g 511all [..etc..] > > However, when I try logging in as a student domain user (student.example.au), > I don't see any of the groups (there should be 8): > > $ ssh -l r...@student.example.au ipa-client-rh7.ipa.example.au > [rnst@ipa-client-rh7 ~]$ groups > rnst > > Is this expected behaviour? Is there a possible client configuration that > will support our AD forest setup or is this simply not possible?
What you did is quite correct, but unfortunately works only with RHEL-7.3 or newer as it requires sssd-1.14 or newer, sorry. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project