Drop domain info from file and group ownership text

Latest response

Hello,

I realm joined RHEL 7.4 systems to a Server 2016 domain. When I log into my RHEL systems with domain accounts, the user and group permissions read: user@contoso.net / domain user@contoso.net

I tried to peel off the domain by specifying full_name_suffix in the /etc/sssd/sssd.conf per the following links:

13.2.15. DOMAIN OPTIONS: SETTING USERNAME FORMATS
7.4. ADDITIONAL CONFIGURATION FOR IDENTITY AND AUTHENTICATION PROVIDERS

What am I missing?

The links above describe how to change the printed username. How do I change the printed group?

[sssd]
domains = contoso.net
config_file_version = 2
services = nss, pam
full_name_suffix = %1$s

[domain/contoso.net]
ad_server = server2016.contoso.net
ad_domain = contoso.net
krb5_realm = CONTOSO.NET
realmd_tags = manages-system joined-with-adcli
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad

Thanks in advance,

Rob

Responses

Hi Rob,

I am not aware of option "full_name_suffix". Did you mean "full_name_format"?

Can you try these please:

Add the "full_name_format = %1$s" entry to the file, and the "override_homedir = /home/%u" entry.

Regards,

Dusan Baljevic (amateur radio VK2COT)

Hello Dusan,

That change fixed the username portion of the file permissions (ownership). Do you know of any way to shorten the group membership name?

Thanks again!

Rob

Hi Rob,

How does the full sssd.conf look like now?

And can you provide an example of what you mean by "shorten the group membership name"?

Regards,

Dusan Baljevic (amateur radio VK2COT)

Hello Dusan,

So, I misspoke in my previous message. My domain accounts now show just the username and their domain group. Unfortunately, the domain group is "domain users" with the space in the middle. Is there a way to map "domain users" to "users"?

Here's the syntax you asked for:

 [root@test2 home]# ls -la
total 12
drwxr-xr-x.  6 root    root           91 Dec 16 14:26 .
dr-xr-xr-x. 19 root    root          249 Dec 13 11:54 ..
drwx------. 15 charles domain users 4096 Dec 13 12:16 charles@contoso.net
drwx------. 15 mark    domain users 4096 Dec 13 13:19 mark@contoso.net
drwx------. 15 rob     rob          4096 Dec 16 14:21 rob
drwx------.  5 rob     domain users  128 Dec 16 14:26 rob@contoso.net
[root@test2 home]# cat /etc/sssd/sssd.conf

[sssd]
domains = contoso.net
config_file_version = 2
services = nss, pam
full_name_format = %1$s
override_homedir = /home/%u

[domain/contoso.net]
ad_server = server2016.contoso.net
ad_domain = contoso.net
krb5_realm = CONTOSO.NET
realmd_tags = manages-system joined-with-adcli
cache_credentials = True 
id_provider = ad 
krb5_store_password_if_offline = True 
default_shell = /bin/bash 
ldap_id_mapping = True 
use_fully_qualified_names = True 
fallback_homedir = /home/%u@%d 
access_provider = ad
[root@test2 home]#

Thanks again!

Rob Ramsey (Also a ham, kc8kpx)

Hi Rob,

I am not aware of any method to "truncate" group name from the listing.

"domain users" is the default Unix group the accounts belong to. If the default group changes to something else which has single word without spaces, then it will be displayed as you want it.

And maybe you would want to use more comprehensive method to list files:

$ stat ZZZ
  File: ZZZ
  Size: 0               Blocks: 0          IO Block: 4096   regular empty file
Device: fd00h/64768d    Inode: 34414016    Links: 1
Access: (0644/-rw-r--r--)  Uid: (162265809/  myusername)   Gid: (165846211/domain users)
Context: unconfined_u:object_r:user_home_t:s0
Access: 2019-12-18 08:15:53.323094083 +1100
Modify: 2019-12-18 08:15:53.323094083 +1100
Change: 2019-12-18 08:15:53.323094083 +1100
 Birth: -

And finally, unrelated to this, you might want to improve your ability to use SSSD by adding:

services = nss, pam, pac, sudo, ifp

The "ifp" option allows you to do useful checks like (you must install sssd-tools):

# sssctl group-show somegroupname

# sssctl domain-status mydomain.dom

# sssctl config-check

OM KC8KPX: 73 de VK2COT (that is greeting in ham radio for those who do not know)

Regards,

Dusan Baljevic (amateur radio VK2COT)