#7851 Domain resolution order for AD Trust users cannot be changed on the Default Trust View
Opened 6 months ago by johnkeates. Modified 6 months ago

Request for enhancement

As an administrator , I want to change the domain resolution order so that AD trust users can use a short name.


The domain resolution order needs to be set in order to use the short AD user name instead of the full user+domain suffix. SSSD doesn't read the global domain order in IPA for AD users, but it does support local and ID View domain ordering lists to support short names.

Currently, the only way to reliably configure this for AD users is by configuring SSSD's configuration file.

Steps to Reproduce

  1. Add AD Trust
  2. Add ID override for an AD user
  3. Verify login using the AD user in IPA
  4. Try logging in using short name (this should fail)
  5. Add domain resolution order and try step 4 again (still fails)
  6. Configure SSD's [sssd] item with a domain_resolution_order list
  7. Log in using a user's short name on the instance where you changed (and restarted) the SSSD config (it now works)

This might be related to the compat tree which also uses those overrides to check if a user matches a user in an AD domain: https://pagure.io/freeipa/issue/7748


CentOS 7 + FreeIPA 4.6.4

Login to comment on this ticket.