On Mon, 2012-07-02 at 18:18 +0200, Stef Walter wrote: > On 07/02/2012 06:02 PM, Simo Sorce wrote: > > 1. > > You should never allow to set a domain that differs from the realm name > > in the AD provider, it is always assumed realm = domain in AD. > > > > In AD both the realm and the domain are case insensitive however MIT > > libs needs to use the Realm all upper case for compat reasons. > > > > I think the best thing for now is to simply ignore KRB5_REALM (do not > > even define AD_KRB5_REALM) and just always user the upper cased domain > > for the realm variable unconditionally. > > To support AD style logins like "DOMAIN\User" (where 'DOMAIN' is the > short domain or workgroup name) I've been configuring SSSD like this: > > [domain/DOMAIN] > dns_discovery_domain = domain.example.com > re_expression = (?P<domain>[^\\]+)\\(?P<name>[^\\]+) > full_name_format = %2$s\\%1$s > ... other settings ... > > Is there another sane way to setup AD style logins? If not, then we > would need to continue to allow the sssd domain to differ from the AD realm.
I think we need to fetch the netbios domain name from AD and allow to use that instead of having to manually configure a regex. That information should be available via CLDAP or lacking that via MSRPC. Of course we should just cache it when we create the domain cache file or something like that. Please open a ticket. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel
