Configuring SSSD to Display Domain Users Without @domain.com Suffix in Linux


2 views

When integrating Ubuntu 14.04 machines into a Windows domain using SSSD, a common frustration emerges: user principal names (UPNs) are displayed in the full username@DOMAIN.COM format throughout the system. This affects:

  • Command-line tools (ls -l output)
  • File ownership displays
  • Scripts with hardcoded username references

Modify /etc/sssd/sssd.conf with these key parameters:

[domain/yourdomain.com]
# Essential directives:
use_fully_qualified_names = False
override_homedir = /home/%u
fallback_homedir = /home/%u

1. Backup current config:

sudo cp /etc/sssd/sssd.conf /etc/sssd/sssd.conf.bak

2. Edit the configuration:

sudo nano /etc/sssd/sssd.conf

3. Apply changes:

sudo systemctl restart sssd

Verify with these commands:

id username
getent passwd username
ls -l /home/

For legacy scripts that can't be modified, consider these approaches:

# Option 1: Environment variable
export DOMAIN_USER=$(getent passwd $USER | cut -d: -f1)

# Option 2: Wrapper function
get_clean_username() {
    local user=$1
    echo ${user%@*}
}
  • Check /var/log/sssd/ logs if changes don't take effect
  • Verify domain join status with realm list
  • Ensure nsswitch.conf includes sss for passwd and group

For more complex environments, consider these additional parameters:

[domain/yourdomain.com]
# For multi-domain environments
cache_credentials = True
# For handling UPN suffixes
default_domain_suffix = yourdomain.com

When integrating Ubuntu 14.04 workstations with Active Directory using SSSD, domain users appear as username@DOMAIN.COM throughout the system. This causes two significant issues:

  1. Cluttered output in commands like ls -l
  2. Breakage in existing scripts that expect simple usernames

Edit your SSSD configuration file (/etc/sssd/sssd.conf) with these key parameters:

[sssd]
services = nss, pam
domains = YOURDOMAIN.COM

[domain/YOURDOMAIN.COM]
id_provider = ad
access_provider = ad
override_homedir = /home/%u
fallback_homedir = /home/%u
use_fully_qualified_names = False
ldap_id_mapping = True

The critical parameter here is use_fully_qualified_names = False which strips the domain suffix from usernames.

After modifying the config file:

  1. Set proper permissions: sudo chmod 600 /etc/sssd/sssd.conf
  2. Restart SSSD: sudo service sssd restart
  3. Flush the cache: sudo sss_cache -E

Verify the changes by running:

getent passwd DOMAIN_USERNAME
id DOMAIN_USERNAME

Both commands should now return the simple username format without the domain suffix.

For existing files with @domain.com owners, you can batch update ownership:

find /path/to/files -user "user@DOMAIN.COM" -exec chown user {} \;
  • If you have duplicate usernames (local and domain), consider setting ldap_id_mapping = True
  • Some applications might still expect FQDN usernames - test thoroughly
  • The solution works for new authentications - existing sessions may need restarting

If SSSD configuration doesn't meet your needs, consider:

  • Winbind (older alternative to SSSD)
  • Custom NSS modules
  • Wrapper scripts that translate usernames