When working with Active Directory integration on CentOS, the default login format often includes the domain suffix. Running realm list shows the current configuration:
$ realm list
mydomain.local
type: kerberos
realm-name: MYDOMAIN.LOCAL
domain-name: mydomain.local
configured: kerberos-member
login-formats: %U@mydomain.local
login-policy: allow-realm-logins
The current setup requires users to authenticate using username@domain@host format. While this works, it's not the most user-friendly approach. Many administrators prefer the simpler username@host format for SSH logins.
Attempting to login with just the username results in authentication failures because SSSD is configured to expect the domain suffix.
To change this behavior, we need to modify the SSSD configuration file. Here's how to do it properly:
# Edit the sssd.conf file
sudo vi /etc/sssd/sssd.conf
# Add or modify the following section under [domain/yourdomain.local]
[domain/mydomain.local]
...
ldap_user_name = sAMAccountName
ldap_user_principal = userPrincipalName
override_homedir = /home/%d/%u
fallback_homedir = /home/%u
use_fully_qualified_names = False
The critical parameters for this change are:
use_fully_qualified_names = False- This allows logins without domain suffixldap_user_name = sAMAccountName- Ensures we use the simple username formatldap_user_principal = userPrincipalName- Maintains compatibility with AD
After making these changes, restart the required services:
sudo systemctl restart sssd
sudo systemctl restart sshd
Check that the new configuration is active:
$ realm list
mydomain.local
...
login-formats: %U
Now you should be able to authenticate using either:
ssh username@hostname
or
ssh username@mydomain.local@hostname
If you encounter issues:
- Check SSSD logs:
tail -f /var/log/sssd/*.log - Verify Kerberos tickets:
klist - Test authentication:
su - username - Ensure proper file permissions:
chmod 600 /etc/sssd/sssd.conf
For more advanced setups, you might consider:
[domain/mydomain.local]
...
cache_credentials = True
default_shell = /bin/bash
ad_domain = mydomain.local
krb5_realm = MYDOMAIN.LOCAL
realmd_tags = manages-system joined-with-adcli
When integrating CentOS with Active Directory using SSSD, the default login format typically includes the domain suffix (%U@domain). This can be verified by running:
realm listSample output showing the current configuration:
mydomain.local
type: kerberos
realm-name: MYDOMAIN.LOCAL
domain-name: mydomain.local
configured: kerberos-member
login-formats: %U@mydomain.local
login-policy: allow-realm-loginsTo change the format to simple usernames (%U), you'll need to edit the SSSD configuration:
sudo vi /etc/sssd/sssd.confAdd or modify the following section under the domain-specific configuration:
[domain/mydomain.local]
use_fully_qualified_names = False
override_homedir = /home/%u
fallback_homedir = /home/%uCritical parameters to note:
use_fully_qualified_names = False- Enables simple username format- The
%uvariable automatically handles the username format conversion
While not strictly required, you may want to review your Kerberos configuration for consistency:
sudo vi /etc/krb5.confEnsure your realm configuration is properly set:
[realms]
MYDOMAIN.LOCAL = {
kdc = dc1.mydomain.local
admin_server = dc1.mydomain.local
default_domain = mydomain.local
}After making changes:
sudo systemctl restart sssd
realm listExpected output showing the updated format:
login-formats: %UTo test authentication:
su - username # Instead of username@domain
ssh username@hostnameIf changes don't take effect:
- Verify file permissions:
sudo chmod 600 /etc/sssd/sssd.conf - Check logs:
journalctl -u sssd -f - Clear cache:
sudo sss_cache -E
For environments with multiple domains, consider using:
[domain/...]
full_name_format = %1$s