1

There are essentially two parts to this question. I have a FreeIPA domain example.com with a few Fedora domain members. On each of these domain members, I'm able to sign in as a domain user without having to specify the domain name. For example, at the logon prompt I can enter "username" instead of "username@example.com". Once logged in, I'm able to use the id command to verify that I've logged in as a domain user, as opposed to a local one. The convenience of this feature is undeniable, but I don't understand why it works. So my first question is, why does this work?

Secondly, I've recently added a new Fedora machine to the domain, but I discovered that when I try to log on to it, I must specify the domain name at the logon prompt. The question here becomes, what must I do to replicate the functionality of the existing machines?

A quick glance through the sssd.conf man page lead me to the "default_domain_suffix" option, but adding this to my new server's sssd.conf did not introduce the desired functionality. Also, this option is not present in my old servers' sssd.conf to begin with.

ADS103
  • 116
  • 1
  • 7
  • I expect something went wrong while joining the new machine to the domain. What exactly that is, I'm not sure. – Michael Hampton Aug 10 '18 at 14:58
  • Well, this is a learning experience for me. Can you suggest any places I should start looking to troubleshoot? Basically point me in the right direction? – ADS103 Aug 10 '18 at 15:00
  • I'd try unjoining it and rejoining it to the domain. If that doesn't help, then I'd start reading logs. – Michael Hampton Aug 10 '18 at 15:02
  • Try the sssd.conf file on the client. Specifying the `default_domain_suffix` on the client may cause it to append the domain suffix. Since IPA can authenticate to multiple domains, it would make sense to allow setting the default on the client. – Jeter-work Aug 10 '18 at 19:01
  • I did. Sorry for the ambiguity, but when I said "new server" in the third paragraph of my question, I did mean the newly created FreeIPA client, which itself is a server, but for a different purpose. I felt it was worth noting that `default_domain_suffix` was unset on all other FreeIPA clients, which function as desired. I called these other clients my "old servers" in the question. There has only been one FreeIPA server, just "old" and "new" FreeIPA clients. – ADS103 Aug 10 '18 at 19:28
  • 1
    Check the `use_fully_qualified_names` setting in sssd.conf. –  Aug 10 '18 at 21:32
  • Bingo. `use_fully_qualified_names` was not on my old servers, but it was on my new one. Removing it from my new one's sssd.conf got me the desired functionality. If you make your comment an answer, I'll mark it as correct. – ADS103 Aug 12 '18 at 16:55

1 Answers1

1

Depending on how you actually enroll clients, use_fully_qualified_names would be set or unset in the sssd.conf. If you are using ipa-client-install directly, it would be unset. If you are using realm join, then it would be set.

See this comment in a FreeIPA issue 5350: https://pagure.io/freeipa/issue/5350#comment-510770 and, more importantly, a bug against realmd: https://bugzilla.redhat.com/show_bug.cgi?id=1575538

abbra
  • 1,085
  • 5
  • 8