Linux server - AD authentication without specifying domain name
OS: RedHat / CentOS
I can use realmd to allow specific Active Directory users/groups to log in to a Linux server.
a1) The default behavior after joining AD and enabling these AD users to log in is: log in as ADUserName@mydomain.com, provide AD password when prompted, and you're in
b1) On login, the bash prompt looks like: ADUserName@mydomain.com@se
c1) I add ADUserName@MYDOMAIN.COM to sudoers, and these users have admin rights if they need it
It all works just fine.
I had a request to make it so that (users who can't bear to type a few more characters) Ad users could log in, using their Ad password, but without having to specify the domain name
So, I make a few changes to /etc/sssd/sssd.conf and it kinda works. I think I'm missing something.
Now, it looks like this
a2) log in as ADUserName (note: not providing name of AD domain anymore), provide AD password when prompted, and you're logged in. So far, so good
b2) the bash prompt looks like: ADUserName@servername. Not ideal. This is not a local user, IMO the bash prompt should include the AD domain name. How do I change this back?
c2) the sudoers file had previously been modified to include ADUserName@mydomain.com. Now, the logged-in AD user can no longer use sudo. To fix this, I had to modify the sudoers file again, specifying ADUserName instead of ADUserName@MYDOMAIN.COM. Again, far from ideal. This might be confusing to anyone except the person who originally set this up - not good.
How do I allow AD users to login as ADUserName (without having to specify the AD Domain) and still have the system recognize the user as ADUserName@mydomain.com, especially when it come to the sudoers file?
( I tried adding full_name_format = %1$s@%2$s to sssd.conf. That didn't help )
I can use realmd to allow specific Active Directory users/groups to log in to a Linux server.
a1) The default behavior after joining AD and enabling these AD users to log in is: log in as ADUserName@mydomain.com, provide AD password when prompted, and you're in
b1) On login, the bash prompt looks like: ADUserName@mydomain.com@se
c1) I add ADUserName@MYDOMAIN.COM to sudoers, and these users have admin rights if they need it
It all works just fine.
I had a request to make it so that (users who can't bear to type a few more characters) Ad users could log in, using their Ad password, but without having to specify the domain name
So, I make a few changes to /etc/sssd/sssd.conf and it kinda works. I think I'm missing something.
Now, it looks like this
a2) log in as ADUserName (note: not providing name of AD domain anymore), provide AD password when prompted, and you're logged in. So far, so good
b2) the bash prompt looks like: ADUserName@servername. Not ideal. This is not a local user, IMO the bash prompt should include the AD domain name. How do I change this back?
c2) the sudoers file had previously been modified to include ADUserName@mydomain.com. Now, the logged-in AD user can no longer use sudo. To fix this, I had to modify the sudoers file again, specifying ADUserName instead of ADUserName@MYDOMAIN.COM. Again, far from ideal. This might be confusing to anyone except the person who originally set this up - not good.
How do I allow AD users to login as ADUserName (without having to specify the AD Domain) and still have the system recognize the user as ADUserName@mydomain.com, especially when it come to the sudoers file?
( I tried adding full_name_format = %1$s@%2$s to sssd.conf. That didn't help )
Last Comment
Try ADUserName@Domain.com. It will look link a UPN and Domain.com will resolve to a DC using DNS round-robin
ASKER CERTIFIED SOLUTION
THIS SOLUTION IS ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
Linux
Linux is a UNIX-like open source operating system with hundreds of distinct distributions, including: Fedora, openSUSE, Ubuntu, Debian, Slackware, Gentoo, CentOS, and Arch Linux. Linux is generally associated with web and database servers, but has become popular in many niche industries and applications.
71K
Questions
--
Followers
--
Top Experts
Get a personalized solution from industry experts
TRUSTED BY
The username is the stuff you enter during login. Full name in unix is a different human readable field.
sssd is a tools that will do a AD (= Kerberos) login to the Domain and will will fill out the missing parts f.e. the Domain Name to authenticate.
Without the @domainname part in the username, sudo cannot recognize domains names like that.
(Maybe a better approach would be to insert users in a group and allow the group to authorize, i am not sure if AD groups can be used though i never tried it).
For the bash prompt..., either insert it in the PS1/PS2 strings in f.e. /etc/profile or .bashrc