What level of support is there for supporting multiple active directory domains that have trust relationships established with each other (either one/two/external/forest).
If I have an environment with DomA <> DomB, it would currently appear that I would need to create two separate SSSD domains in my .conf file, one for each domain as well as create a computer account in each domain and associated keytab entries on the local host. In effect, the machine would be "joined" to two domains at once.
Would this work? Is there another way where one can be joined only to a single domain and still authenticated trusted users?
The only documentation I can find regarding AD and trusts involves IPA trusted domains.
Thank you.
On Tue, Aug 13, 2013 at 12:28:03PM -0500, Ben H wrote:
What level of support is there for supporting multiple active directory domains that have trust relationships established with each other (either one/two/external/forest).
If I have an environment with DomA <> DomB, it would currently appear that I would need to create two separate SSSD domains in my .conf file, one for each domain as well as create a computer account in each domain and associated keytab entries on the local host. In effect, the machine would be "joined" to two domains at once.
Would this work? Is there another way where one can be joined only to a single domain and still authenticated trusted users?
The only documentation I can find regarding AD and trusts involves IPA trusted domains.
Thank you.
With sssd-1.10 we started with the first step of trust support in the AD provider. Currently sssd can handle domains in a single forest. i.e. if the domain you joined sssd to is part of a forest users from other domains in this forest are available as well.
The next stop would be to support cross-forest trusts.
HTH
bye, Sumit
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users@lists.fedorahosted.org