Avatar of Kaffiend
KaffiendFlag for United States of America

asked on 

Linux server - AD authentication without specifying domain name

OS: RedHat / CentOS

I can use realmd to allow specific Active Directory users/groups to log in to a Linux server.  
a1) The default behavior after joining AD and enabling these AD users to log in is: log in as ADUserName@mydomain.com, provide AD password when prompted, and you're in
b1) On login, the bash prompt looks like: ADUserName@mydomain.com@servername.  
c1) I add ADUserName@MYDOMAIN.COM to sudoers, and these users have admin rights if they need it
It all works just fine.

I had a request to make it so that (users who can't bear to type a few more characters) Ad users could log in, using their Ad password, but without having to specify the domain name
So, I make a few changes to /etc/sssd/sssd.conf and it kinda works.  I think I'm missing something.
Now, it looks like this
a2) log in as ADUserName (note: not providing name of AD domain anymore), provide AD password when prompted, and you're logged in.  So far, so good
b2) the bash prompt looks like: ADUserName@servername.  Not ideal.  This is not a local user, IMO the bash prompt should include the AD domain name.  How do I change this back?
c2) the sudoers file had previously been modified to include ADUserName@mydomain.com.  Now, the logged-in AD user can no longer use sudo.  To fix this, I had to modify the sudoers file again, specifying ADUserName instead of ADUserName@MYDOMAIN.COM.  Again, far from ideal.  This might be confusing to anyone except the person who originally set this up - not good.

How do I allow AD users to login as ADUserName (without having to specify the AD Domain) and still have the system recognize the user as ADUserName@mydomain.com, especially when it come to the sudoers file?

( I tried adding full_name_format = %1$s@%2$s to sssd.conf.  That didn't help )

Avatar of undefined
Last Comment
Avatar of noci

For Bash & sudo the username is used.... that is the name you login with.  either with or without @domainname....
The username is the stuff you enter during login. Full name in unix is a different human readable field.
sssd is a tools that will do a AD (= Kerberos) login to the Domain and will will fill out the missing parts f.e. the Domain Name to authenticate.

Without the @domainname part in the username, sudo cannot recognize domains names like that.
(Maybe a better approach would be to insert users in a group and allow the group to authorize, i am not sure if AD groups can be used though i never tried it).
For the bash prompt..., either insert it in the PS1/PS2 strings in f.e. /etc/profile or .bashrc
Avatar of Shaun Vermaak
Shaun Vermaak
Flag of Australia image

Try ADUserName@Domain.com. It will look link a UPN and Domain.com will resolve to a DC using DNS round-robin
Avatar of Kaffiend
Flag of United States of America image

Blurred text
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial

Linux is a UNIX-like open source operating system with hundreds of distinct distributions, including: Fedora, openSUSE, Ubuntu, Debian, Slackware, Gentoo, CentOS, and Arch Linux. Linux is generally associated with web and database servers, but has become popular in many niche industries and applications.

Top Experts
Get a personalized solution from industry experts
Ask the experts
Read over 600 more reviews


IBM logoIntel logoMicrosoft logoUbisoft logoSAP logo
Qualcomm logoCitrix Systems logoWorkday logoErnst & Young logo
High performer badgeUsers love us badge
LinkedIn logoFacebook logoX logoInstagram logoTikTok logoYouTube logo