On 11/12/2013 01:32 PM, Jakub Hrozek wrote:
Hi,
we have a default_domain_suffix parameter in the SSSD with the following
description:
default_domain_suffix (string)
This string will be used as a default domain name for all names without a
domain name component. The main use case is environments where the
primary
domain is intended for managing host policies and all users are located
in a
trusted domain. The option allows those users to log in just with their
user
name without giving a domain name as well.
Please note that if this option is set all users from the primary domain
have
to use their fully qualified name, e.g. u...@domain.name, to log in.
Default: not set
This turned out to be a problem for one RHEL customer recently who uses
the default_domain_suffix option because all his users and groups are
stored in AD. But they also use automounter, which means all requests
from automounter get fully qualified, auto.master becomes
auto.mas...@trusted.ad.domain. And I don't think it's even possible to
automounter to make the map name fully qualified (yes, you can override
master map name, but then you'd have to also make sure all the nested
map and key names are qualified which is insane..)
I think that given we only support users and groups from trusted sources
now, we should only consider the default domain suffix for users and
groups.
The customer was kind enough to propose a patch. I think it's correct,
except maybe we should amend the option documentation. I can't think of
any other part of SSSD that needs patching - sudo's input is username
and ssh provider only takes the default domain suffix into consideration
for users as well.
Ack to the patch.
I don't think it is necessary to amend the documentation but it will not
hurt :)
_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
