-
Notifications
You must be signed in to change notification settings - Fork 247
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can't set up login as "User logon name" #5254
Comments
This sounds like a problem I ran into recently and described here: Namely, we have AD users where the domain in their The actual Kerberos TGT is always issued for the "implicit UPN" which is formed as |
Yes sounds like you're having a same issue. The problem is that users don't login to their Windows machines using samaccountname, they use the first part of eUPN. They should be able to use the same login for Linux machines, otherwise it's going to be a mess. I don't know how but VAS does it - SSSD should be able too. |
Hi, SSSD treats only the full value of the You said:
Does this mean that e.g. ldapsearch only returns bye, |
Hi Sumit, No, ldapsearch returns with the suffix. I'm attaching a screenshot as an example, so ldapsearch I would see "bella@deborah.com" but user should be able to login as "bella" without typing the whole thing. Thanks |
Hi, thanks for the clarification. As said before this is currently expected behavior, the UPN is always treated as a whole so SSSD only relies on information available in LDAP. So if there is a different LDAP attribute which contains only the expected short name (without and domain suffix) for all users this can as a replacement for the default I guess VAS is using RPC calls like e.g. bye, |
Thanks Sumit for the explanation, I'll have to search for a workaround. |
I'm trying to set up SSSD so the users could authenticate against AD using their logon names. In ADUC I can see it as "User logon name", in LDAP it is UPN without suffix. I can't use samaccountname for these purposes because sometimes it doesn't match user logon name.
Our AD structure is something like this:
Domain: ad.corpdomain.com
UPN: domainuser5@company.com (same as email - but it's different than domain name)
Samaccountname: domainuser
It looks like SSSD is unable to separate username from the suffix in UPN so I could authenticate as domainuser5, it always needs "domainuser5@company.com".
In sssd.conf I have following:
ldap_user_name = UserPrincipalName
*_provider = ad (all providers set to ad)
use_fully_qualified_names = false
If I run "id domainuser5" it says user doesn't exist, if I run "id domainuser@company.com" it's successful but I don't want that domain part. Since we have only 1 enterprise domain suffix I don't care about overlapping.
I would like to know if it's possible to configure SSSD so I could user domainuser5 everywhere, if yes - how. Currently VAS can do that, I'm trying to replace it with SSSD.
Thanks!
The text was updated successfully, but these errors were encountered: