How to align a user account (< 9 characters long) to a specific AD domain?

Latest response

How can I align a user John.Doe to one AD Domain, and user Jane.Doe to another AD Domain in the same forest?

Have tried using the winbind separator ex: domain1+jdoe, but long Domain names and long user names get messy.

Authenticating john.doe@domain1.forest.net from jane.doe@domain2.forest.net with previously setup UID and GID is the challenge.
Dont want auto-created accounts.... just the password authentication to non-cached (if possible).

In short, can I map:
jdoe1 to john.doe@domain1.forest.net
jdoe2 to jane.doe@domain2.forest.net

Ideally, one would login as jdoe1, but it might also be acceptable to login with the UPN (john.doe@domain1.forest.net), provided that the short name (jdoe1) would appear in system output like 'ps -ef ".

Thanks for your thoughts.

JW
Log in to join the conversation

Responses

FJ Red Hat Expert 1059 points
10 October 2013 5:14 AM

Hello.

I do not think this is not achievable. If you have multipale domains you need a way to specify in which domain that user exists.
If you would like further information i would recommend you to raise a ticket with Red Hat regarding this issue.

Frank

Th Guru 2987 points
10 October 2013 4:45 PM

While your Active Directory UPNs might be john.doe@domain1.forest.net and jane.doe@domain2.forest.net, it's reasonable that their SamAccountName attributes might work out to "jdoe1" and "jdoe2", respectively. That said, unless you set winbind to leverage a default domain, you'd still be stuck with doing authenticating as domain1\jdoe1 and domain2\jdoe2. If you do configure winbind to use a default domain, you'd only be able to omit the domain from one domain's worth of users (i.e., you'd be able to login as "jdoe1" or "jdoe2" but not both.

In general, this "shortcoming" is a good thing. Bad Things(TM) happen when you're doing multi-namespace authentication and there are collisions between those namespaces.

The above aside, you could probably achieve what you're looking to do. However, doing it would likely be a lot of work ...like, enough work that you'd not want to do it only for one system. You'd likely have to write a namespace-aggregation module that maintained a mapping database, and then you'd need to configure PAM to consult that (logical) aggregated name-space. There are third-party tools for this (Optimal VIS comes to mind), but they're non-trivially priced.

JW Active Contributor 168 points
11 October 2013 2:20 PM

AIX uses a variable defined per-user (lsuser -f | grep auth_domain) that identifies the users authoritative AD domain. This UPN or email address could be parked in the GECOS field or in a text/reference file, but its time to get it working.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.