Red Hat Training
A Red Hat training course is available for Red Hat Enterprise Linux
8.5. Configuration Options for Using Short Names to Resolve and Authenticate Users and Groups
This section describes configuration options enabling you to use short user or group names instead of the
user_name@domain or domain\user_name fully qualified names format to resolve and authenticate users and groups in an Active Directory (AD) environment. You can configure this:
- in Identity Management (IdM) that trusts AD
- on Red Hat Enterprise Linux joined to an AD using SSSD
8.5.1. How Domain Resolution Works
You can use the
domain resolution order option to specify the order in which a list of domains is searched to return a match for a given user name. You can set the option:
In environments with an Active Directory trust, applying one or both of the server-based options is recommended.
From the perspective of a particular client, the
domain resolution order option can be set in more than one of the three locations above. The order in which a client consults the three locations is:
- the local
sssd.confconfiguration - the id view configuration
- the global IdM configuration
Only the domain resolution order setting found first will be used.
In environments in which Red Hat Enterprise Linux is directly integrated into an AD, you can only set the domain resolution order on the client.
Note
You must use qualified names if:
- A user name exists in multiple domains
- The SSSD configuration includes the
default_domain_suffixoption and you want to make a request towards a domain not specified with that option
8.5.2. Configuring the Domain Resolution Order on an Identity Management Server
Select the server-based configuration if a large number of clients in a domain or subdomain should use an identical domain resolution order.
8.5.2.1. Setting the Domain Resolution Order Globally
Select this option for setting the domain resolution order to all the clients in the trust. In order to do this, use the
ipa config-mod command. For example, in an IdM domain that trusts an AD forest with multiple child domains:
$ ipa config-mod --domain-resolution-order='idm.example.com:ad.example.com:subdomain1.ad.example.com:subdomain2.ad.example.com' Maximum username length: 32 Home directory base: /home ... Domain Resolution Order: idm.example.com:ad.example.com:subdomain1.ad.example.com:subdomain2.ad.example.com ...With the domain resolution order set in this way, users from both the IdM domain and from the trusted AD forest can log in using short names only.
8.5.2.2. Setting the Domain Resolution Order for an ID view
Select this option to apply the setting to the clients in a specific domain.
For example, on your subdomain server, server.idm.example.com, you observe many more logins from the subdomain2.ad.example.com subdomain than from subdomain1.ad.example.com. The global resolution order states, however, that the subdomain1.ad.example.com subdomain user database is tried out before subdomain2.ad.example.com when resolving user names. To set a different order for certain servers, set up a domain resolution order for a specific view:
- Create an ID view with the
domain resolution orderoption set:$ ipa idview-add example_view --desc "ID view for custom shortname resolution on server.idm.example.com" --domain-resolution-order subdomain2.ad.example.com:subdomain1.ad.example.com --------------------------------- Added ID View "example_view" --------------------------------- ID View Name: example_view Description: ID view for custom shortname resolution on server.idm.example.com Domain Resolution Order: subdomain2.ad.example.com:subdomain1.ad.example.com
- Apply the view on the clients. For example:
$ ipa idview-apply example_view --hosts server.idm.example.com ----------------------------------- Applied ID View "example_view" ----------------------------------- hosts: server.idm.example.com --------------------------------------------- Number of hosts the ID View was applied to: 1 ---------------------------------------------
For further information on ID views, see Chapter 8, Using ID Views in Active Directory Environments.
8.5.3. Configuring the Domain Resolution Order on an IdM Client
Set the domain resolution order on the client if you want to set it on a low number of clients or if the clients are directly connected to AD.
Set the
domain_resolution_order option, in the [sssd] section, in the /etc/sssd/sssd.conf file, for example:
domain_resolution_order = subdomain1.ad.example.com, subdomain2.ad.example.com
For further information on configuring the
domain_resolution_order option, see the sssd.conf(5) man page.
