Avatar of Kaffiend
KaffiendFlag for United States of America asked on

Linux server - AD authentication without specifying domain name

OS: RedHat / CentOS

I can use realmd to allow specific Active Directory users/groups to log in to a Linux server.  
a1) The default behavior after joining AD and enabling these AD users to log in is: log in as ADUserName@mydomain.com, provide AD password when prompted, and you're in
b1) On login, the bash prompt looks like: ADUserName@mydomain.com@servername.  
c1) I add ADUserName@MYDOMAIN.COM to sudoers, and these users have admin rights if they need it
It all works just fine.

I had a request to make it so that (users who can't bear to type a few more characters) Ad users could log in, using their Ad password, but without having to specify the domain name
So, I make a few changes to /etc/sssd/sssd.conf and it kinda works.  I think I'm missing something.
Now, it looks like this
a2) log in as ADUserName (note: not providing name of AD domain anymore), provide AD password when prompted, and you're logged in.  So far, so good
b2) the bash prompt looks like: ADUserName@servername.  Not ideal.  This is not a local user, IMO the bash prompt should include the AD domain name.  How do I change this back?
c2) the sudoers file had previously been modified to include ADUserName@mydomain.com.  Now, the logged-in AD user can no longer use sudo.  To fix this, I had to modify the sudoers file again, specifying ADUserName instead of ADUserName@MYDOMAIN.COM.  Again, far from ideal.  This might be confusing to anyone except the person who originally set this up - not good.

How do I allow AD users to login as ADUserName (without having to specify the AD Domain) and still have the system recognize the user as ADUserName@mydomain.com, especially when it come to the sudoers file?


( I tried adding full_name_format = %1$s@%2$s to sssd.conf.  That didn't help )
Linux

Avatar of undefined
Last Comment
Kaffiend

8/22/2022 - Mon
noci

For Bash & sudo the username is used.... that is the name you login with.  either with or without @domainname....
The username is the stuff you enter during login. Full name in unix is a different human readable field.
 
sssd is a tools that will do a AD (= Kerberos) login to the Domain and will will fill out the missing parts f.e. the Domain Name to authenticate.

Without the @domainname part in the username, sudo cannot recognize domains names like that.
(Maybe a better approach would be to insert users in a group and allow the group to authorize, i am not sure if AD groups can be used though i never tried it).
For the bash prompt..., either insert it in the PS1/PS2 strings in f.e. /etc/profile or .bashrc
Shaun Vermaak

Try ADUserName@Domain.com. It will look link a UPN and Domain.com will resolve to a DC using DNS round-robin
ASKER CERTIFIED SOLUTION
Kaffiend

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
See how we're fighting big data
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes