Linux server - AD authentication without specifying domain name
OS: RedHat / CentOS
I can use realmd to allow specific Active Directory users/groups to log in to a Linux server.
a1) The default behavior after joining AD and enabling these AD users to log in is: log in as ADUserName@mydomain.com, provide AD password when prompted, and you're in
b1) On login, the bash prompt looks like: ADUserName@mydomain.com@se
c1) I add ADUserName@MYDOMAIN.COM to sudoers, and these users have admin rights if they need it
It all works just fine.
I had a request to make it so that (users who can't bear to type a few more characters) Ad users could log in, using their Ad password, but without having to specify the domain name
So, I make a few changes to /etc/sssd/sssd.conf and it kinda works. I think I'm missing something.
Now, it looks like this
a2) log in as ADUserName (note: not providing name of AD domain anymore), provide AD password when prompted, and you're logged in. So far, so good
b2) the bash prompt looks like: ADUserName@servername. Not ideal. This is not a local user, IMO the bash prompt should include the AD domain name. How do I change this back?
c2) the sudoers file had previously been modified to include ADUserName@mydomain.com. Now, the logged-in AD user can no longer use sudo. To fix this, I had to modify the sudoers file again, specifying ADUserName instead of ADUserName@MYDOMAIN.COM. Again, far from ideal. This might be confusing to anyone except the person who originally set this up - not good.
How do I allow AD users to login as ADUserName (without having to specify the AD Domain) and still have the system recognize the user as ADUserName@mydomain.com, especially when it come to the sudoers file?
( I tried adding full_name_format = %1$s@%2$s to sssd.conf. That didn't help )
I can use realmd to allow specific Active Directory users/groups to log in to a Linux server.
a1) The default behavior after joining AD and enabling these AD users to log in is: log in as ADUserName@mydomain.com, provide AD password when prompted, and you're in
b1) On login, the bash prompt looks like: ADUserName@mydomain.com@se
c1) I add ADUserName@MYDOMAIN.COM to sudoers, and these users have admin rights if they need it
It all works just fine.
I had a request to make it so that (users who can't bear to type a few more characters) Ad users could log in, using their Ad password, but without having to specify the domain name
So, I make a few changes to /etc/sssd/sssd.conf and it kinda works. I think I'm missing something.
Now, it looks like this
a2) log in as ADUserName (note: not providing name of AD domain anymore), provide AD password when prompted, and you're logged in. So far, so good
b2) the bash prompt looks like: ADUserName@servername. Not ideal. This is not a local user, IMO the bash prompt should include the AD domain name. How do I change this back?
c2) the sudoers file had previously been modified to include ADUserName@mydomain.com. Now, the logged-in AD user can no longer use sudo. To fix this, I had to modify the sudoers file again, specifying ADUserName instead of ADUserName@MYDOMAIN.COM. Again, far from ideal. This might be confusing to anyone except the person who originally set this up - not good.
How do I allow AD users to login as ADUserName (without having to specify the AD Domain) and still have the system recognize the user as ADUserName@mydomain.com, especially when it come to the sudoers file?
( I tried adding full_name_format = %1$s@%2$s to sssd.conf. That didn't help )
Try ADUserName@Domain.com. It will look link a UPN and Domain.com will resolve to a DC using DNS round-robin
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The username is the stuff you enter during login. Full name in unix is a different human readable field.
sssd is a tools that will do a AD (= Kerberos) login to the Domain and will will fill out the missing parts f.e. the Domain Name to authenticate.
Without the @domainname part in the username, sudo cannot recognize domains names like that.
(Maybe a better approach would be to insert users in a group and allow the group to authorize, i am not sure if AD groups can be used though i never tried it).
For the bash prompt..., either insert it in the PS1/PS2 strings in f.e. /etc/profile or .bashrc