I'm sorry for the late reply, but we've all been busy finishing work on a RHEL update.
On Mon, Oct 23, 2017 at 10:29:13AM +0200, Jeremy Monnet wrote:
Hi,
I am trying to setup an authentication against Active Directory, with multiple domains, and I haven't been able to find the recommended way to do it (it is very possible I missed it...), so I am looking for explanation and advice.
With a master domain example.com, and subdomains sub1.example.com, sub2.example.com, etc, how would you setup sssd (and the linux system) to authenticate the users from all the domains ?
To give te example, my user is ad admin across all the forests ( my_user@example.com), and I want to authenticate on all the servers, smtp.example.com or proxy.sub1.example.com, etc. I also want on some computer to authenticate customer's account (my_customer@sub1.example.com).
For now, I have 2 different setups :
- on computers from example.com
[sssd] config_file_version = 2 debug_level =0 domains = example.com services = nss, pam [domain/example.com] enumerate = true dns_discovery_domain = cy2._sites.example.com debug_level = 8 id_provider = ad access_provider = ad ldap_id_mapping = false #dyndns_update = false
This should just work for all domains, SSSD should autodiscover all the trusted domains from the forest.
Instead of the dns_discovery_domain, you should use "ad_site = cy2"
If something does not work, please send logs, see https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html
But I would strongly recommend against enumerate=true both for performance reasons and because following the logs is then quite hard.
- on computer from sub1.example.com
[sssd] config_file_version = 2 debug_level =0 domains = sub1.example.com,example.com services = nss, pam
[domain/example.com] enumerate = true dns_discovery_domain = cy2._sites.example.com debug_level = 9 id_provider = ad access_provider = ad ldap_id_mapping = false
[domain/sub1.example.com] enumerate = true dns_discovery_domain = cy2._sites.sub1.example.com debug_level = 7 id_provider = ad access_provider = ad ldap_id_mapping = false
This should not be needed and is not completely correct either.
Defining each domain separately is a valid workaround for domains in different forests. It was also a valid workaround for older releases if only some domains were reachable, so you'd disable the automatic subdomain discovery with subdomain_provider=none and then create a separate domain entry for each trusted domain.
But with modern releases this should not be necessary, even if only the forest root and sub1.example.com are reachable, you could instead use "ad_enabled_domains = sub1.example.com,example.com"
But if the all domains are reachable, defining each domains should not be required and all users and groups from those domains should be resolvable.