On Tue, May 07, 2019 at 06:24:01PM -0500, Spike White wrote: > Yes, correct. I converted "[domain/XXX]" lines and ad_domain lines to > upper case. Example: > > [domain/EMEA.COMPANY.COM] > ... > ad_domain = EMEA.COMPANY.COM > krb5_realm = EMEA.COMPANY.COM
Thanks, this confirms my assumption. It should be sufficient to only change 'ad_domain' because this is the option realmd looks at first. As said I'll try to make realm less strict here if AD is used. bye, Sumit > > That allows me to do a 'realm permit' specifying upper case for my domain. > For example > > realm permit admspike_wh...@amer.company.com > > Spike > > > > > > > > > On Mon, May 6, 2019 at 5:01 AM Sumit Bose <sb...@redhat.com> wrote: > > > Hi, > > > > thank you for reporting this behavior. realm is indeed a bit too picky > > about the case here. At least for AD the case should be ignored. > > > > On Sun, Apr 14, 2019 at 09:44:56AM -0500, Spike White wrote: > > > BTW, yes -- that works. If I transform in sssd.conf every "[domain/xxx]" > > > line: > > > > > > [domain/{amer,emea,apac,japn}.company.com] > > > > Am I correct that you not only changed the "[domain/xxx] lines but the > > "ad_domain" lines as well? > > > > bye, > > Sumit > > > > > > > > to upper case and restart sssd, I can then "realm permit" in upper case. > > > > > > realm permit -R AMER.COMPANY.COM spike_wh...@company.com > > > > > > Curiously, in sssd.conf, it records the user in lower case: > > > > > > simple_allow_users = processehcprofi...@amer.company.com, > > > spike_wh...@amer.company.com > > > > > > No problem with that for me; I'm really hitting against AD -- which is > > > case-insensitive. > > > > > > BTW, I checked -- I did my original realm join against AMER.COMPANY.COM > > > (all upper-case). > > > > > > Spike > > > > > > > > > On Sat, Apr 13, 2019 at 3:59 PM Spike White <spikewhit...@gmail.com> > > wrote: > > > > > > > All, > > > > > > > > I have sssd set up and doing cross-domain AD authentication. I'm using > > > > the simple access provider and conferring login access per group. > > > > Occasionally per user. > > > > > > > > I notice that if I do a basic 'realm permit <user>', that it adds this > > > > user to the wrong AD domain: > > > > > > > > Example: > > > > > > > > realm permit processehcprofiler > > > > > > > > adds it to my JAPN.COMPANY.COM AD domain, not my local AD domain > > (AMER). > > > > > > > > If I attempt to do to > > > > > > > > realm permit -R AMER.COMPANY.COM processehcprofi...@amer.company.com > > > > > > > > I get this error: > > > > > > > > realm: Couldn't find a matching realm > > > > > > > > Through various experimentation, I find that if I do this: > > > > > > > > realm permit -R amer.company.com processehcprofi...@amer.company.com > > > > > > > > that it works. As confirmed by 'sssctl user-checks processehcprofiler' > > > > > > > > I notice my "domain" entries in /etc/sssd/sssd.conf file are all lower > > > > case: > > > > > > > > domains = amer.company.com,apac.company.com,emea.company.com, > > > > japn.company.com > > > > ... > > > > [domain/amer.company.com] > > > > ad_domain = amer.company.com > > > > ... > > > > [domain/apac.company.com] > > > > ad_domain = apac.company.com > > > > ... > > > > [domain/emea.company.com] > > > > ad_domain = emea.company.com > > > > ... > > > > [domain/japn.company.com] > > > > ad_domain = japn.company.com > > > > ... > > > > > > > > I'm used to Kerberos where domain names are uc and account names are > > lc. > > > > So to do: > > > > > > > > realm permit -R AMER.COMPANY.COM processehcprofi...@amer.company.com > > > > > > > > I have to re-write all the domain names in my sssd.conf file to uc? > > > > > > > > Spike > > > > > > > > > _______________________________________________ > > > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > > > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > > List Archives: > > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org > > _______________________________________________ > > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org > > > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org