Hi.
I have the following scenario :
-'example.com' domain running on premises -'aws.example.com' domain running on 'Amazon Microsoft AD' in VPC with VPN connection to on premises. - One-way trust created from aws.example.com to example.com
I´m currently able to log in to a Windows server joined to aws.example.com using example.com credentials. Now i want the same for our Linux servers running in Amazon VPC and have tried using this guide.: http://docs.aws.amazon.com/directoryservice/latest/admin-guide/join_linux_in...
I am able to login using credentials from aws.example.com like this .: ssh user@aws.example.com (user is present in this domain) But i am not able to do it using ssh user@example.com (user is present in this domain)
I have searched a lot on this topic and saw freeipa mentioned a few times, but i would rather avoid having to use extra software if necessary.
Any help would be greatly appreciated. Please let me know if i need to provide any more details
Best regards Kasper
On Tue, Apr 25, 2017 at 12:37:50PM -0000, kn@unwire.dk wrote:
Hi.
I have the following scenario :
-'example.com' domain running on premises -'aws.example.com' domain running on 'Amazon Microsoft AD' in VPC with VPN connection to on premises.
- One-way trust created from aws.example.com to example.com
I'm sorry, but sssd so far only supports domains a single forest. You can either join the client to each of the forests (and create multiple domain sections in sssd.conf) or use freeipa as you said or use winbind.
I´m currently able to log in to a Windows server joined to aws.example.com using example.com credentials. Now i want the same for our Linux servers running in Amazon VPC and have tried using this guide.: http://docs.aws.amazon.com/directoryservice/latest/admin-guide/join_linux_in...
I am able to login using credentials from aws.example.com like this .: ssh user@aws.example.com (user is present in this domain) But i am not able to do it using ssh user@example.com (user is present in this domain)
I have searched a lot on this topic and saw freeipa mentioned a few times, but i would rather avoid having to use extra software if necessary.
Yes, freeipa can help here in the sense that you would establish a trust to each of these forests.
Hi Jakub.
Thank you for quick response. I still believe i´m in same forest(correct me if i´m wrong), but using a trust. Is trusts not supported at all in SSSD?
If not, is this functionality on the roadmap and if so, how far out ?
Again, thank you :) We use SSSD in our office network and are very happy with it.
On Wed, Apr 26, 2017 at 07:55:38AM -0000, kn@unwire.dk wrote:
Hi Jakub.
Thank you for quick response. I still believe i´m in same forest(correct me if i´m wrong), but using a trust. Is trusts not supported at all in SSSD?
Trusted domains in a single forest are. If the domains are in a single forest, then please look at the debug logs if the non-joined domain is discovered.
sssd-users@lists.fedorahosted.org
-
Jakub Hrozek -
kn@unwire.dk