On Tue, May 07, 2019 at 06:24:01PM -0500, Spike White wrote:
> Yes, correct. I converted "[domain/XXX]" lines and ad_domain lines to
> upper case. Example:
>
> [domain/EMEA.COMPANY.COM]
> ...
> ad_domain = EMEA.COMPANY.COM
> krb5_realm = EMEA.COMPANY.COM
Thanks, this confirms my assumption. It should be sufficient to only
change 'ad_domain' because this is the option realmd looks at first.
As said I'll try to make realm less strict here if AD is used.
bye,
Sumit
>
> That allows me to do a 'realm permit' specifying upper case for my domain.
> For example
>
> realm permit admspike_wh...@amer.company.com
>
> Spike
>
>
>
>
>
>
>
>
> On Mon, May 6, 2019 at 5:01 AM Sumit Bose <sb...@redhat.com> wrote:
>
> > Hi,
> >
> > thank you for reporting this behavior. realm is indeed a bit too picky
> > about the case here. At least for AD the case should be ignored.
> >
> > On Sun, Apr 14, 2019 at 09:44:56AM -0500, Spike White wrote:
> > > BTW, yes -- that works. If I transform in sssd.conf every "[domain/xxx]"
> > > line:
> > >
> > > [domain/{amer,emea,apac,japn}.company.com]
> >
> > Am I correct that you not only changed the "[domain/xxx] lines but the
> > "ad_domain" lines as well?
> >
> > bye,
> > Sumit
> >
> > >
> > > to upper case and restart sssd, I can then "realm permit" in upper case.
> > >
> > > realm permit -R AMER.COMPANY.COM spike_wh...@company.com
> > >
> > > Curiously, in sssd.conf, it records the user in lower case:
> > >
> > > simple_allow_users = processehcprofi...@amer.company.com,
> > > spike_wh...@amer.company.com
> > >
> > > No problem with that for me; I'm really hitting against AD -- which is
> > > case-insensitive.
> > >
> > > BTW, I checked -- I did my original realm join against AMER.COMPANY.COM
> > > (all upper-case).
> > >
> > > Spike
> > >
> > >
> > > On Sat, Apr 13, 2019 at 3:59 PM Spike White <spikewhit...@gmail.com>
> > wrote:
> > >
> > > > All,
> > > >
> > > > I have sssd set up and doing cross-domain AD authentication. I'm using
> > > > the simple access provider and conferring login access per group.
> > > > Occasionally per user.
> > > >
> > > > I notice that if I do a basic 'realm permit <user>', that it adds this
> > > > user to the wrong AD domain:
> > > >
> > > > Example:
> > > >
> > > > realm permit processehcprofiler
> > > >
> > > > adds it to my JAPN.COMPANY.COM AD domain, not my local AD domain
> > (AMER).
> > > >
> > > > If I attempt to do to
> > > >
> > > > realm permit -R AMER.COMPANY.COM processehcprofi...@amer.company.com
> > > >
> > > > I get this error:
> > > >
> > > > realm: Couldn't find a matching realm
> > > >
> > > > Through various experimentation, I find that if I do this:
> > > >
> > > > realm permit -R amer.company.com processehcprofi...@amer.company.com
> > > >
> > > > that it works. As confirmed by 'sssctl user-checks processehcprofiler'
> > > >
> > > > I notice my "domain" entries in /etc/sssd/sssd.conf file are all lower
> > > > case:
> > > >
> > > > domains = amer.company.com,apac.company.com,emea.company.com,
> > > > japn.company.com
> > > > ...
> > > > [domain/amer.company.com]
> > > > ad_domain = amer.company.com
> > > > ...
> > > > [domain/apac.company.com]
> > > > ad_domain = apac.company.com
> > > > ...
> > > > [domain/emea.company.com]
> > > > ad_domain = emea.company.com
> > > > ...
> > > > [domain/japn.company.com]
> > > > ad_domain = japn.company.com
> > > > ...
> > > >
> > > > I'm used to Kerberos where domain names are uc and account names are
> > lc.
> > > > So to do:
> > > >
> > > > realm permit -R AMER.COMPANY.COM processehcprofi...@amer.company.com
> > > >
> > > > I have to re-write all the domain names in my sssd.conf file to uc?
> > > >
> > > > Spike
> > > >
> >
> > > _______________________________________________
> > > sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> > > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > List Archives:
> > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
> > _______________________________________________
> > sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
> >
> _______________________________________________
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
