Hi, we have a default_domain_suffix parameter in the SSSD with the following description:
default_domain_suffix (string) This string will be used as a default domain name for all names without a domain name component. The main use case is environments where the primary domain is intended for managing host policies and all users are located in a trusted domain. The option allows those users to log in just with their user name without giving a domain name as well. Please note that if this option is set all users from the primary domain have to use their fully qualified name, e.g. u...@domain.name, to log in. Default: not set This turned out to be a problem for one RHEL customer recently who uses the default_domain_suffix option because all his users and groups are stored in AD. But they also use automounter, which means all requests from automounter get fully qualified, auto.master becomes auto.mas...@trusted.ad.domain. And I don't think it's even possible to automounter to make the map name fully qualified (yes, you can override master map name, but then you'd have to also make sure all the nested map and key names are qualified which is insane..) I think that given we only support users and groups from trusted sources now, we should only consider the default domain suffix for users and groups. The customer was kind enough to propose a patch. I think it's correct, except maybe we should amend the option documentation. I can't think of any other part of SSSD that needs patching - sudo's input is username and ssh provider only takes the default domain suffix into consideration for users as well.
>From 8756099c93f1734c88c6ba869d2842feaadda319 Mon Sep 17 00:00:00 2001 From: Aron Parsons <parso...@bit-sys.com> Date: Wed, 6 Nov 2013 15:18:54 +0000 Subject: [PATCH] do not use default_domain_suffix with autofs --- src/responder/autofs/autofssrv_cmd.c | 2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/src/responder/autofs/autofssrv_cmd.c b/src/responder/autofs/autofssrv_cmd.c index 8a79cec..2fae1b7 100644 --- a/src/responder/autofs/autofssrv_cmd.c +++ b/src/responder/autofs/autofssrv_cmd.c @@ -435,7 +435,7 @@ setautomntent_send(TALLOC_CTX *mem_ctx, state->dctx = dctx; ret = sss_parse_name_for_domains(state, client->rctx->domains, - client->rctx->default_domain, rawname, + NULL, rawname, &domname, &state->mapname); if (ret != EOK) { DEBUG(SSSDBG_FATAL_FAILURE, -- 1.7.1
_______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel