Hi,
Nobody has a clue on the best practices for AD domains with trust ? :-(
Regs,
Jeremy
On Mon, Oct 23, 2017 at 10:29 AM, Jeremy Monnet jmonnet@gmail.com wrote:
Hi,
I am trying to setup an authentication against Active Directory, with multiple domains, and I haven't been able to find the recommended way to do it (it is very possible I missed it...), so I am looking for explanation and advice.
With a master domain example.com, and subdomains sub1.example.com, sub2.example.com, etc, how would you setup sssd (and the linux system) to authenticate the users from all the domains ?
To give te example, my user is ad admin across all the forests ( my_user@example.com), and I want to authenticate on all the servers, smtp.example.com or proxy.sub1.example.com, etc. I also want on some computer to authenticate customer's account (my_customer@sub1.example.com) .
For now, I have 2 different setups :
- on computers from example.com
[sssd] config_file_version = 2 debug_level =0 domains = example.com services = nss, pam [domain/example.com] enumerate = true dns_discovery_domain = cy2._sites.example.com debug_level = 8 id_provider = ad access_provider = ad ldap_id_mapping = false #dyndns_update = false
- on computer from sub1.example.com
[sssd] config_file_version = 2 debug_level =0 domains = sub1.example.com,example.com services = nss, pam
[domain/example.com] enumerate = true dns_discovery_domain = cy2._sites.example.com debug_level = 9 id_provider = ad access_provider = ad ldap_id_mapping = false
[domain/sub1.example.com] enumerate = true dns_discovery_domain = cy2._sites.sub1.example.com debug_level = 7 id_provider = ad access_provider = ad ldap_id_mapping = false
I join computer to example.com or to sub1.example.com: adcli join example.com -U my_user@EXAMPLE.COM or adcli join sub1.example.com -U my_user@EXAMPLE.COM as I would do with an ordinary windows workstation.
And for AD, I use the posix attributes (and that may be the way...) so if a UID or GID exists in both domains, I happen to find wrong group names, etc.
I hope my questions are clear enough ! :-) What am I doing wrong ? What are the recommended settings for that situation ?
Thanks,
Jeremy