We help IT Professionals succeed at work.

Linux server - AD authentication without specifying domain name

Kaffiend
Kaffiend asked
on
72 Views
Last Modified: 2018-11-06
OS: RedHat / CentOS

I can use realmd to allow specific Active Directory users/groups to log in to a Linux server.  
a1) The default behavior after joining AD and enabling these AD users to log in is: log in as ADUserName@mydomain.com, provide AD password when prompted, and you're in
b1) On login, the bash prompt looks like: ADUserName@mydomain.com@servername.  
c1) I add ADUserName@MYDOMAIN.COM to sudoers, and these users have admin rights if they need it
It all works just fine.

I had a request to make it so that (users who can't bear to type a few more characters) Ad users could log in, using their Ad password, but without having to specify the domain name
So, I make a few changes to /etc/sssd/sssd.conf and it kinda works.  I think I'm missing something.
Now, it looks like this
a2) log in as ADUserName (note: not providing name of AD domain anymore), provide AD password when prompted, and you're logged in.  So far, so good
b2) the bash prompt looks like: ADUserName@servername.  Not ideal.  This is not a local user, IMO the bash prompt should include the AD domain name.  How do I change this back?
c2) the sudoers file had previously been modified to include ADUserName@mydomain.com.  Now, the logged-in AD user can no longer use sudo.  To fix this, I had to modify the sudoers file again, specifying ADUserName instead of ADUserName@MYDOMAIN.COM.  Again, far from ideal.  This might be confusing to anyone except the person who originally set this up - not good.

How do I allow AD users to login as ADUserName (without having to specify the AD Domain) and still have the system recognize the user as ADUserName@mydomain.com, especially when it come to the sudoers file?


( I tried adding full_name_format = %1$s@%2$s to sssd.conf.  That didn't help )
Comment
Watch Question

nociSoftware Engineer
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
For Bash & sudo the username is used.... that is the name you login with.  either with or without @domainname....
The username is the stuff you enter during login. Full name in unix is a different human readable field.
 
sssd is a tools that will do a AD (= Kerberos) login to the Domain and will will fill out the missing parts f.e. the Domain Name to authenticate.

Without the @domainname part in the username, sudo cannot recognize domains names like that.
(Maybe a better approach would be to insert users in a group and allow the group to authorize, i am not sure if AD groups can be used though i never tried it).
For the bash prompt..., either insert it in the PS1/PS2 strings in f.e. /etc/profile or .bashrc
Shaun VermaakSenior Consultant
CERTIFIED EXPERT
Awarded 2017
Distinguished Expert 2019

Commented:
Try ADUserName@Domain.com. It will look link a UPN and Domain.com will resolve to a DC using DNS round-robin
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.