Hide Forgot
Description of problem: In case of trusted domains, realmd fails to validate all the trusted domains. Version-Release number of selected component (if applicable): realmd-0.14.5-1.el7 How reproducible: Always Steps to Reproduce: 1. Join to an AD domain sssdad.com via realmd 2. Now try to permit an user from another trusted domain sssdad1.com # realm permit abcd See: journalctl REALMD_OPERATION=r2005410.20779 realm: Couldn't change permitted logins: Invalid login argument 'abcd' does not match the login format. Actual results: realmd fails to permit the user from the trusted domain Expected results: realmd should relax domain validation, and should permit users from other domains. Additional info:
The trusted domains are discovered on the fly, so currently I don't see a way of validating them. Maybe there could be a switch for realm permit that would override the check?
(In reply to Jakub Hrozek from comment #2) > The trusted domains are discovered on the fly, so currently I don't see a > way of validating them. Maybe there could be a switch for realm permit that > would override the check? Does sssd allow use of trusted domains in the simple allow/deny config lines? If so, in which version of sssd was this added? I remember us discussing it, but must have missed the resolution. In my opinion, this point we should bump this to RHEL 7.1 (or later). This is (or was until recently) a fundamental limitation of sssd.
Not at the moment, the simple provider didn't even support FQDNs at all until recently. We'll be adding subdomain support in time for 7.0. But I agree this realmd RFE is not critical for 7.0.
Development Management has reviewed and declined this request. You may appeal this decision by reopening this request.