Este conteúdo não está disponível no idioma selecionado.

Chapter 49. Configuring the domain resolution order to resolve short AD user names


By default, you must specify fully qualified names in the format user_name@domain.com or domain.com\user_name to resolve and authenticate users and groups from an Active Directory (AD) environment. Learn how to configure IdM servers and clients to resolve short AD usernames and group names.

49.1. How domain resolution order works

In Identity Management (IdM) environments with an Active Directory (AD) trust, Red Hat recommends that you resolve and authenticate users and groups by specifying their fully qualified names. For example:

  • <idm_username>@idm.example.com for IdM users from the idm.example.com domain
  • <ad_username>@ad.example.com for AD users from the ad.example.com domain

By default, if you perform user or group lookups using the short name format, such as ad_username, IdM only searches the IdM domain and fails to find the AD users or groups. To resolve AD users or groups using short names, change the order in which IdM searches multiple domains by setting the domain resolution order option.

You can set the domain resolution order centrally in the IdM database or in the SSSD configuration of individual clients. IdM evaluates domain resolution order in the following order of priority:

  • The local /etc/sssd/sssd.conf configuration.
  • The ID view configuration.
  • The global IdM configuration.

Important considerations

  • You must use fully qualified usernames if the SSSD configuration on the host includes the default_domain_suffix option and you want to make a request to a domain not specified with this option.
  • If you use the domain resolution order option and query the compat tree, you might receive multiple user IDs (UIDs). If this might affect you, see Pagure bug report Inconsistent compat user objects for AD users when domain resolution order is set.
Important

Do not use the full_name_format SSSD option on IdM clients or IdM servers. Using a non-default value for this option changes how usernames are displayed and might disrupt lookups in an IdM environment.

49.2. Setting the global domain resolution order on an IdM server

This procedure sets the domain resolution order for all the clients in the IdM domain. This example sets the domain resolution order to search for users and groups in the following order:

  1. Active Directory (AD) root domain ad.example.com
  2. AD child domain subdomain1.ad.example.com
  3. IdM domain idm.example.com

Prerequisites

  • You have configured a trust with an AD environment.

Procedure

  • Use the ipa config-mod --domain-resolution-order command to list the domains to be searched in your preferred order. Separate the domains with a colon (:).

    [user@server ~]$ ipa config-mod --domain-resolution-order='ad.example.com:subdomain1.ad.example.com:idm.example.com'
    Maximum username length: 32
    Home directory base: /home
    ...
      Domain Resolution Order: ad.example.com:subdomain1.ad.example.com:idm.example.com
    ...
    Copy to Clipboard Toggle word wrap

Verification

  • Verify you can retrieve user information for a user from the ad.example.com domain using only a short name.

    [root@client ~]# id <ad_username>
    uid=1916901102(ad_username) gid=1916900513(domain users) groups=1916900513(domain users)
    Copy to Clipboard Toggle word wrap

49.3. Setting the domain resolution order for an ID view on an IdM server

This procedure sets the domain resolution order for an ID view that you can apply to a specific set of IdM servers and clients. This example creates an ID view named ADsubdomain1_first for IdM host client1.idm.example.com, and sets the domain resolution order to search for users and groups in the following order:

  1. Active Directory (AD) child domain subdomain1.ad.example.com
  2. AD root domain ad.example.com
  3. IdM domain idm.example.com
Note

The domain resolution order set in an ID view overrides the global domain resolution order, but it does not override any domain resolution order set locally in the SSSD configuration.

Prerequisites

  • You have configured a trust with an AD environment.

Procedure

  1. Create an ID view with the --domain-resolution-order option set.

    [user@server ~]$ ipa idview-add ADsubdomain1_first --desc "ID view for resolving AD subdomain1 first on client1.idm.example.com" --domain-resolution-order subdomain1.ad.example.com:ad.example.com:idm.example.com
    ---------------------------------
    Added ID View "ADsubdomain1_first"
    ---------------------------------
    ID View Name: ADsubdomain1_first
    Description: ID view for resolving AD subdomain1 first on client1.idm.example.com
    Domain Resolution Order: subdomain1.ad.example.com:ad.example.com:idm.example.com
    Copy to Clipboard Toggle word wrap
  2. Apply the ID view to IdM hosts.

    [user@server ~]$ ipa idview-apply ADsubdomain1_first --hosts client1.idm.example.com
    -----------------------------------
    Applied ID View "ADsubdomain1_first"
    -----------------------------------
      hosts: client1.idm.example.com
    ---------------------------------------------
    Number of hosts the ID View was applied to: 1
    ---------------------------------------------
    Copy to Clipboard Toggle word wrap

Verification

  1. Display the details of the ID view.

    [user@server ~]$ ipa idview-show ADsubdomain1_first --show-hosts
      ID View Name: ADsubdomain1_first
      Description: ID view for resolving AD subdomain1 first on client1.idm.example.com
      Hosts the view applies to: client1.idm.example.com
      Domain resolution order: subdomain1.ad.example.com:ad.example.com:idm.example.com
    Copy to Clipboard Toggle word wrap
  2. Verify you can retrieve user information for a user from the subdomain1.ad.example.com domain using only a short name.

    [root@client1 ~]# id <user_from_subdomain1>
    uid=1916901106(user_from_subdomain1) gid=1916900513(domain users) groups=1916900513(domain users)
    Copy to Clipboard Toggle word wrap

49.4. Using Ansible to create an ID view with a domain resolution order

You can use the ansible-freeipa idview module to add, modify, and delete ID views in your Identity Management (IdM) deployment. For example, you can create an ID view with a domain resolution order to enable short name notation.

Short name notation substitutes a full user name from Active Directory (AD), such as aduser05@ad.example.com, with a short login, in this case aduser05. That means that when using SSH to log in to an IdM client, aduser05 can enter ssh aduser05@client.idm.example.com instead of ssh aduser05@ad.example.com@client.idm.example.com. The same applies to other commands, such as id.

Complete this procedure to use Ansible to:

  • Define a string of colon-separated domains used for short name qualification. In the example, the string is ad.example.com:idm.example.com.
  • Create an ID view that instructs SSSD to first search a user name in the first domain identified in the string. In the example, this is ad.example.com.
  • Apply the ID view to a specific host. In the example, this is testhost.idm.example.com.
Note

You can apply only one ID view to an IdM client. Applying a new ID view automatically removes the previous ID view, if applicable.

Prerequisites

  • On the control node:

    • You are using Ansible version 2.15 or later.
    • You have installed the freeipa.ansible_freeipa collection.
    • The example assumes that in the ~/MyPlaybooks/ directory, you have created an Ansible inventory file with the fully-qualified domain name (FQDN) of the IdM server.
    • The example assumes that the secret.yml Ansible vault stores your ipaadmin_password and that you have access to a file that stores the password protecting the secret.yml file.
  • The target node, that is the node on which the freeipa.ansible_freeipa module is executed, is part of the IdM domain as an IdM client, server or replica.

Procedure

  1. Navigate to your ~/MyPlaybooks/ directory and create an Ansible playbook file add-id-view-with-domain-resolution-order.yml with the following content:

    ---
    - name: Playbook to add idview and apply it to an IdM client
      hosts: ipaserver
      vars_files:
      - /home/<user_name>/MyPlaybooks/secret.yml
      become: false
      gather_facts: false
    
      tasks:
      - name: Add idview and apply it to testhost.idm.example.com
        ipaidview:
          ipaadmin_password: "{{ ipaadmin_password }}"
          name: test_idview
          host: testhost.idm.example.com
          domain_resolution_order: "ad.example.com:ipa.example.com"
    Copy to Clipboard Toggle word wrap
  2. Run the playbook. Specify the playbook file, the file storing the password protecting the secret.yml file, and the inventory file:

    $ ansible-playbook --vault-password-file=password_file -v -i inventory add-id-view-with-domain-resolution-order.yml
    Copy to Clipboard Toggle word wrap

Verification

  1. SSH to testhost.idm.example.com.
  2. Verify you can retrieve user information for a user from the ad.example.com domain using only a short name.

    [root@testhost ~]# id aduser05
    uid=1916901102(aduser05) gid=1916900513(domain users) groups=1916900513(domain users)
    Copy to Clipboard Toggle word wrap

49.5. Setting the domain resolution order in SSSD on an IdM client

This procedure sets the domain resolution order in the SSSD configuration on an IdM client. This example configures IdM host client2.idm.example.com to search for users and groups in the following order:

  1. Active Directory (AD) child domain subdomain1.ad.example.com
  2. AD root domain ad.example.com
  3. IdM domain idm.example.com
Note

The domain resolution order in the local SSSD configuration overrides any global and ID view domain resolution order.

Prerequisites

  • You have configured a trust with an AD environment.

Procedure

  1. Open the /etc/sssd/sssd.conf file in a text editor.
  2. Set the domain_resolution_order option in the [sssd] section of the file.

    domain_resolution_order = subdomain1.ad.example.com, ad.example.com, idm.example.com
    Copy to Clipboard Toggle word wrap
  3. Save and close the file.
  4. Restart the SSSD service to load the new configuration settings.

    [root@client2 ~]# systemctl restart sssd
    Copy to Clipboard Toggle word wrap

Verification

  • Verify you can retrieve user information for a user from the subdomain1.ad.example.com domain using only a short name.

    [root@client2 ~]# id <user_from_subdomain1>
    uid=1916901106(user_from_subdomain1) gid=1916900513(domain users) groups=1916900513(domain users)
    Copy to Clipboard Toggle word wrap
Voltar ao topo
Red Hat logoGithubredditYoutubeTwitter

Aprender

Experimente, compre e venda

Comunidades

Sobre a documentação da Red Hat

Ajudamos os usuários da Red Hat a inovar e atingir seus objetivos com nossos produtos e serviços com conteúdo em que podem confiar. Explore nossas atualizações recentes.

Tornando o open source mais inclusivo

A Red Hat está comprometida em substituir a linguagem problemática em nosso código, documentação e propriedades da web. Para mais detalhes veja o Blog da Red Hat.

Sobre a Red Hat

Fornecemos soluções robustas que facilitam o trabalho das empresas em plataformas e ambientes, desde o data center principal até a borda da rede.

Theme

© 2025 Red Hat