8.5. Configuration Options for Using Short Names to Resolve and Authenticate Users and Groups

This section describes configuration options enabling you to use short user or group names instead of the user_name@domain or domain\user_name fully qualified names format to resolve and authenticate users and groups in an Active Directory (AD) environment. You can configure this:
  • in Identity Management (IdM) that trusts AD
  • on Red Hat Enterprise Linux joined to an AD using SSSD

8.5.1. How Domain Resolution Works

You can use the domain resolution order option to specify the order in which a list of domains is searched to return a match for a given user name. You can set the option:
In environments with an Active Directory trust, applying one or both of the server-based options is recommended.
From the perspective of a particular client, the domain resolution order option can be set in more than one of the three locations above. The order in which a client consults the three locations is:
  1. the local sssd.conf configuration
  2. the id view configuration
  3. the global IdM configuration
Only the domain resolution order setting found first will be used.
In environments in which Red Hat Enterprise Linux is directly integrated into an AD, you can only set the domain resolution order on the client.

Note

You must use qualified names if:
  • A user name exists in multiple domains
  • The SSSD configuration includes the default_domain_suffix option and you want to make a request towards a domain not specified with that option

8.5.2. Configuring the Domain Resolution Order on an Identity Management Server

Select the server-based configuration if a large number of clients in a domain or subdomain should use an identical domain resolution order.

8.5.2.1. Setting the Domain Resolution Order Globally

Select this option for setting the domain resolution order to all the clients in the trust. In order to do this, use the ipa config-mod command. For example, in an IdM domain that trusts an AD forest with multiple subdomains:
$ ipa config-mod --domain-resolution-order='idm.example.com:ad.example.com:subdomain1.ad.example.com:subdomain2.ad.example.com'
Maximum username length: 32
Home directory base: /home
...
Domain Resolution Order: idm.example.com:ad.example.com:subdomain1.ad.example.com:subdomain2.ad.example.com
...
With the domain resolution order set in this way, users from both the IdM domain and from the trusted AD forest can log in using short names only.

8.5.2.2. Setting the Domain Resolution Order for an ID view

Select this option to apply the setting to the clients in a specific domain.
For example, on your subdomain server, server.idm.example.com, you observe many more logins from the subdomain2.ad.example.com subdomain than from subdomain1.ad.example.com. The global resolution order states, however, that the subdomain1.ad.example.com subdomain user database is tried out before subdomain2.ad.example.com when resolving user names. To set a different order for certain servers, set up a domain resolution order for a specific view:
  1. Create an ID view with the domain resolution order option set:
    $ ipa idview-add example_view --desc "ID view for custom shortname resolution on server.idm.example.com" --domain-resolution-order subdomain2.ad.example.com:subdomain1.ad.example.com
    ---------------------------------
    Added ID View "example_view"
    ---------------------------------
    ID View Name: example_view
    Description: ID view for custom shortname resolution on server.idm.example.com
    Domain Resolution Order: subdomain2.ad.example.com:subdomain1.ad.example.com
  2. Apply the view on the clients. For example:
    $ ipa idview-apply example_view --hosts server.idm.example.com
    -----------------------------------
    Applied ID View "example_view"
    -----------------------------------
    hosts: server.idm.example.com
    ---------------------------------------------
    Number of hosts the ID View was applied to: 1
    ---------------------------------------------
For further information on ID views, see Chapter 8, Using ID Views in Active Directory Environments.

8.5.3. Configuring the Domain Resolution Order on an IdM Client

Set the domain resolution order on the client if you want to set it on a low number of clients or if the clients are directly connected to AD.
Set the domain_resolution_order option, in the [sssd] section, in the /etc/sssd/sssd.conf file, for example:
domain_resolution_order = subdomain1.ad.example.com, subdomain2.ad.example.com
For further information on configuring the domain_resolution_order option, see the sssd.conf(5) man page.