Hi,
Using SSSD 1.14.2 on RHEL6, users from a different than the joined domain are only resolved when specifying the domain. As an exmaple:
Joined domain "northamerica", the user uniq_user_A@northamerica can be resolved using: getent passwd uniq_user_A But uniq_user_B in domain "europe" can ONLY be resolved using: getent passwd europe\unique_user_B Where I would expect that getent passwd uniq_user_B would also work (see my configuration file attached below).
Diving into the sssd log files, it seems that when specifying just "uniq_user_B", the DC's are contacted for the europe domain; which it can't access since it's not in the kerberos keytab. When specifying europe\uniq_user_B it's SSSD seems to contact the DC's for the northamerica domain instead; the domain it's joined and that's also in the kerberos keytab.
To solve this issue I added the europe DC's also to het keytab by changing the domain/realm in the smb.conf and krb5.conf to europe and re-ran the net ads join command. Once they are added, and thus also listed by klist -k, I can now resolve users in both domain without specifying their domain. Like: getent passwd uniq_user_B
I wonder if this is the normal behaviour, because if the server is joined to the northamerica domain, and getent passwd europe\uniq_user_B works, I would expect that it would be possible to run getent passwd uniq_user_B also without having to add extra domains to the keytab.
The sssd.conf I used:
[sssd] services = nss, pam config_file_version = 2 debug_level = 7 domains = northamerica.example.net,europe.example.net default_shell = /bin/bash
[nss] debug_level = 7 default_shell = /bin/bash filter_users = root filter_groups = root reconnection_retries = 3 entry_cache_timeout = 300 entry_cache_nowait_percentage = 75 override_shell = /bin/bash
[pam] debug_level = 7
[domain/northamerica.example.net] id_provider = ad subdomains_provider = none ad_domain = northamerica.example.net krb5_realm = NORTHAMERICA.EXAMPLE.NET use_fully_qualified_names = False debug_level = 7 auth_provider = ad chpass_provider = ad access_provider = ad cache_credentials = true ldap_idmap_range_size = 2000000 ldap_idmap_default_domain_sid = S-1-5-21-1757981266-299502267-1801674531 ldap_idmap_default_domain = northamerica.example.net
[domain/europe.example.net] id_provider = ad subdomains_provider = none ad_domain = europe.example.net krb5_realm = EUROPE.EXAMPLE.NET use_fully_qualified_names = False debug_level = 7 auth_provider = ad chpass_provider = ad access_provider = ad cache_credentials = true ldap_idmap_range_size = 2000000 ldap_idmap_default_domain_sid = S-1-5-21-507921405-813497703-1202660629 ldap_idmap_default_domain = europe.example.net
The krb5.conf
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] default_realm = NORTHAMERICA.EXAMPLE.NET dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true
Johan Postema.
On Thu, May 05, 2016 at 03:11:41PM +0200, Johan Postema wrote:
Hi,
Using SSSD 1.14.2 on RHEL6, users from a different than the joined domain are only resolved when specifying the domain. As an exmaple:
Joined domain "northamerica", the user uniq_user_A@northamerica can be resolved using: getent passwd uniq_user_A But uniq_user_B in domain "europe" can ONLY be resolved using: getent passwd europe\unique_user_B Where I would expect that getent passwd uniq_user_B would also work (see my configuration file attached below).
Diving into the sssd log files, it seems that when specifying just "uniq_user_B", the DC's are contacted for the europe domain; which it can't access since it's not in the kerberos keytab.
What is the relationship between the domains? Are they from the same forest?
When specifying europe\uniq_user_B it's SSSD seems to contact the DC's for the northamerica domain instead; the domain it's joined and that's also in the kerberos keytab.
To solve this issue I added the europe DC's also to het keytab by changing the domain/realm in the smb.conf and krb5.conf to europe and re-ran the net ads join command. Once they are added, and thus also listed by klist -k, I can now resolve users in both domain without specifying their domain. Like: getent passwd uniq_user_B
I wonder if this is the normal behaviour, because if the server is joined to the northamerica domain, and getent passwd europe\uniq_user_B works, I would expect that it would be possible to run getent passwd uniq_user_B also without having to add extra domains to the keytab.
The sssd.conf I used:
[sssd] services = nss, pam config_file_version = 2 debug_level = 7 domains = northamerica.example.net,europe.example.net default_shell = /bin/bash
[nss] debug_level = 7 default_shell = /bin/bash filter_users = root filter_groups = root reconnection_retries = 3 entry_cache_timeout = 300 entry_cache_nowait_percentage = 75 override_shell = /bin/bash
[pam] debug_level = 7
[domain/northamerica.example.net] id_provider = ad subdomains_provider = none ad_domain = northamerica.example.net krb5_realm = NORTHAMERICA.EXAMPLE.NET use_fully_qualified_names = False debug_level = 7 auth_provider = ad chpass_provider = ad access_provider = ad cache_credentials = true ldap_idmap_range_size = 2000000 ldap_idmap_default_domain_sid = S-1-5-21-1757981266-299502267-1801674531 ldap_idmap_default_domain = northamerica.example.net
[domain/europe.example.net] id_provider = ad subdomains_provider = none ad_domain = europe.example.net krb5_realm = EUROPE.EXAMPLE.NET use_fully_qualified_names = False debug_level = 7 auth_provider = ad chpass_provider = ad access_provider = ad cache_credentials = true ldap_idmap_range_size = 2000000 ldap_idmap_default_domain_sid = S-1-5-21-507921405-813497703-1202660629 ldap_idmap_default_domain = europe.example.net
The krb5.conf
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log
[libdefaults] default_realm = NORTHAMERICA.EXAMPLE.NET dns_lookup_realm = true dns_lookup_kdc = true ticket_lifetime = 24h renew_lifetime = 7d forwardable = true
Johan Postema. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
sssd-users@lists.fedorahosted.org