#2569 In ipa-ad trust, with 'default_domain_suffix' set to AD domain, IPA user are not able to log unless use_fully_qualified_names is set
Closed: Fixed None Opened 4 years ago by jhrozek.

Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1185536

Please note that this Bug is private and may not be accessible as it contains confidential Red Hat customer information.

Description of problem:
In IPA-AD trust scenario, if 'default_domain_suffix = AD.domain' is set
then as per man page, ipa users must use their domainname for log in via ssh
or su.  However it fails.  IN the logs i could see that Authentication works
correctly, however ssh or su  fails to open the session.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Configure IPA-AD trust
2. set the 'default_domain_suffix = AD_DOMAIN'
3. restart sssd and now try to log in with ipa users via ssh or su

Actual results:
IPA user fail to log in

Expected results:
IPA user should be able to log in

Additional info:
Setting 'use_fully_qualified_names = true' in the ipa domain section allows
users to log in. However when 'default_domain_suffix' is set then sssd (nss)
should assume that all other user should be using fully qualified domain name.
It should not be forced to define 'fully qualified' option in ipa section.

- man page of sssd.conf  does not mention about necessity of setting '
use_fully_qualified_names = true'

Fields changed

blockedby: =>
blocking: =>
changelog: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
mark: no => 0
owner: somebody => mzidek
review: True => 0
selected: =>
testsupdated: => 0

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.13 alpha

Fields changed

patch: 0 => 1

resolution: => fixed
status: new => closed

Metadata Update from @jhrozek:
- Issue assigned to mzidek
- Issue set to the milestone: SSSD 1.13 alpha

2 years ago

Login to comment on this ticket.