How to configure "shortnames" in IPA
Environment
- IPA in a trust relationship with an AD forest
- IPA 4.x
- Red Hat Enterprise Linux 7
- Red Hat Enterprise Linux 8
- Red Hat Enterprise Linux 9
Issue
IPA supports user & group resolution and user authentication in all domains to be possible by using only the short names without the domain component.
For example, admin instead of admin@linux.mylab.local or administrator instead of
administrator@windows.mylab.local
Resolution
One of the available options as described here is to globally define the "Domain resolution order" parameter either via webUI on the "IPA Server" > "Configuration" tab either using the following
[root@ipasrv ~]# ipa config-mod --domain-resolution-order="linux.mylab.local:windows.mylab.local"
[root@ipasrv ~]# systemctl stop sssd ; rm -rf /var/log/sssd/* /var/lib/sss/{db,mc}/* ; systemctl start sssd
Diagnostic Steps
After enabling this feature, these are the expected results
[root@ipasrv ~]# id admin
uid=261800000(admin@linux.mylab.local) gid=261800000(admins@linux.mylab.local) groups=261800000(admins@linux.mylab.local)
[root@ipasrv ~]# id administrator | tr ',' '\n'
uid=702800500(administrator@windows.mylab.local) gid=702800500(administrator@windows.mylab.local) groups=702800500(administrator@windows.mylab.local)
702800518(schema admins@windows.mylab.local)
702800512(domain admins@windows.mylab.local)
702800513(domain users@windows.mylab.local)
702800519(enterprise admins@windows.mylab.local)
702800520(group policy creator owners@windows.mylab.local)
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments