Chapter 47. Configuring the domain resolution order to resolve short AD user names

By default, you must specify fully qualified names in the format user_name@domain.com or domain.com\user_name to resolve and authenticate users and groups from an Active Directory (AD) environment. The following sections describe how to configure IdM servers and clients to resolve short AD usernames and group names.

47.1. How domain resolution order works

In Identity Management (IdM) environments with an Active Directory (AD) trust, Red Hat recommends that you resolve and authenticate users and groups by specifying their fully qualified names. For example:

  • <idm_username>@idm.example.com for IdM users from the idm.example.com domain
  • <ad_username>@ad.example.com for AD users from the ad.example.com domain

By default, if you perform user or group lookups using the short name format, such as ad_username, IdM only searches the IdM domain and fails to find the AD users or groups. To resolve AD users or groups using short names, change the order in which IdM searches multiple domains by setting the domain resolution order option.

You can set the domain resolution order centrally in the IdM database or in the SSSD configuration of individual clients. IdM evaluates domain resolution order in the following order of priority:

  • The local /etc/sssd/sssd.conf configuration.
  • The ID view configuration.
  • The global IdM configuration.

Notes

  • You must use fully qualified usernames if the SSSD configuration on the host includes the default_domain_suffix option and you want to make a request to a domain not specified with this option.
  • If you use the domain resolution order option and query the compat tree, you might receive multiple user IDs (UIDs). If this might affect you, see Pagure bug report Inconsistent compat user objects for AD users when domain resolution order is set.
Important

Do not use the full_name_format SSSD option on IdM clients or IdM servers. Using a non-default value for this option changes how usernames are displayed and might disrupt lookups in an IdM environment.

Additional resources

47.2. Setting the global domain resolution order on an IdM server

This procedure sets the domain resolution order for all the clients in the IdM domain. This example sets the domain resolution order to search for users and groups in the following order:

  1. Active Directory (AD) root domain ad.example.com
  2. AD child domain subdomain1.ad.example.com
  3. IdM domain idm.example.com

Prerequisites

  • You have configured a trust with an AD environment.

Procedure

  • Use the ipa config-mod --domain-resolution-order command to list the domains to be searched in your preferred order. Separate the domains with a colon (:). 

    [user@server ~]$ ipa config-mod --domain-resolution-order='ad.example.com:subdomain1.ad.example.com:idm.example.com'
Maximum username length: 32
Home directory base: /home
...
  Domain Resolution Order: ad.example.com:subdomain1.ad.example.com:idm.example.com
...

Verification steps

  • Verify you can retrieve user information for a user from the ad.example.com domain using only a short name. 

    [root@client ~]# id <ad_username>
uid=1916901102(ad_username) gid=1916900513(domain users) groups=1916900513(domain users)

47.3. Setting the domain resolution order for an ID view on an IdM server

This procedure sets the domain resolution order for an ID view that you can apply to a specific set of IdM servers and clients. This example creates an ID view named ADsubdomain1_first for IdM host client1.idm.example.com, and sets the domain resolution order to search for users and groups in the following order:

  1. Active Directory (AD) child domain subdomain1.ad.example.com
  2. AD root domain ad.example.com
  3. IdM domain idm.example.com
Note

The domain resolution order set in an ID view overrides the global domain resolution order, but it does not override any domain resolution order set locally in the SSSD configuration.

Prerequisites

  • You have configured a trust with an AD environment.

Procedure

  1. Create an ID view with the --domain-resolution-order option set. 

    [user@server ~]$ ipa idview-add ADsubdomain1_first --desc "ID view for resolving AD subdomain1 first on client1.idm.example.com" --domain-resolution-order subdomain1.ad.example.com:ad.example.com:idm.example.com
---------------------------------
Added ID View "ADsubdomain1_first"
---------------------------------
ID View Name: ADsubdomain1_first
Description: ID view for resolving AD subdomain1 first on client1.idm.example.com
Domain Resolution Order: subdomain1.ad.example.com:ad.example.com:idm.example.com

  2. Apply the ID view to IdM hosts. 

    [user@server ~]$ ipa idview-apply ADsubdomain1_first --hosts client1.idm.example.com
-----------------------------------
Applied ID View "ADsubdomain1_first"
-----------------------------------
  hosts: client1.idm.example.com
---------------------------------------------
Number of hosts the ID View was applied to: 1
---------------------------------------------

Verification steps

  • Display the details of the ID view. 

    [user@server ~]$ ipa idview-show ADsubdomain1_first --show-hosts
  ID View Name: ADsubdomain1_first
  Description: ID view for resolving AD subdomain1 first on client1.idm.example.com
  Hosts the view applies to: client1.idm.example.com
  Domain resolution order: subdomain1.ad.example.com:ad.example.com:idm.example.com

  • Verify you can retrieve user information for a user from the subdomain1.ad.example.com domain using only a short name. 

    [root@client1 ~]# id <user_from_subdomain1>
uid=1916901106(user_from_subdomain1) gid=1916900513(domain users) groups=1916900513(domain users)

47.4. Setting the domain resolution order in SSSD on an IdM client

This procedure sets the domain resolution order in the SSSD configuration on an IdM client. This example configures IdM host client2.idm.example.com to search for users and groups in the following order:

  1. Active Directory (AD) child domain subdomain1.ad.example.com
  2. AD root domain ad.example.com
  3. IdM domain idm.example.com
Note

The domain resolution order in the local SSSD configuration overrides any global and ID view domain resolution order.

Prerequisites

  • You have configured a trust with an AD environment.

Procedure

  1. Open the /etc/sssd/sssd.conf file in a text editor.

  2. Set the domain_resolution_order option in the [sssd] section of the file. 

    domain_resolution_order = subdomain1.ad.example.com, ad.example.com, idm.example.com
  3. Save and close the file.

  4. Restart the SSSD service to load the new configuration settings. 

    [root@client2 ~]# systemctl restart sssd

Verification Steps

  • Verify you can retrieve user information for a user from the subdomain1.ad.example.com domain using only a short name. 

    [root@client2 ~]# id <user_from_subdomain1>
uid=1916901106(user_from_subdomain1) gid=1916900513(domain users) groups=1916900513(domain users)

47.5. Additional resources