#1529 [RFE] Login with users from a trusted domain always requires a FQ name
Closed: Fixed None Opened 9 years ago by dpal.

Assume the setup when there is an AD as authoritative source of the identities and there is an IPA integrated via trust feature. SSSD is enrolled with IPA domain.

In the current implementation of the trusts any user from a trusted domain has to provide a FQ name when logging via SSSD. It is the way how the trusted domains work in Windows.

However realistically in most cases:
- Users that have access to Linux systems will come from a single AD domain
- The IdM domain would not have users (other than admin)
- The company policy requires users to authenticate against AD

For such case (which is expected to be a majority use case) the sssd should have an option to provide the automatic domain expansion for the users with the short name. Without such option the users from trusted AD domains would have to type FQ name every single time when they log in. This is a big burden and would be a barrier for adoption of the IPA trust solution.

Option example:

default_domain_suffix = foo

If this setting is present SSSD would append @foo for any user who tries to log in with a short name first before assuming that it is a user from the first domain that is configured.

The option can alternatively be introduced in the ipa domain config section if such approach is more logical than a global setting.

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.9.1

Fields changed

rhbz: => 0

Fields changed

owner: somebody => sbose
status: new => assigned

Fields changed

patch: 0 => 1

Fixed in:
- 1542b85
- aac3ca6
- fc0e15e

resolution: => fixed
status: assigned => closed

Metadata Update from @dpal:
- Issue assigned to sbose
- Issue set to the milestone: SSSD 1.9.1

4 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/2571

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.