Hi! Please help. Everything I've read has stated that this should work, but it does not. On ubuntu, that is. I set up a Centos 7 box and this *did* work. I've tried this on
* Ubuntu 14.04 with sssd 1.11.8 (from the default Ubuntu 14.04 repos) -- didn't work * Ubuntu 14.04 with sssd 1.13.4 (from a PPA) -- also didn't work * Centos 7 with sssd 1.14.0 -- This worked! * Ubuntu 16.04 with sssd 1.13.4 -- this did not work
*Description*
I have two Active Directory domains in the same forest. * Domain "CORP" * Domain "QA"
I have 2-way trusts set up between the domains.
"Real users" are all in CORP
Authorization into QA is handled with AD Universal Groups, but I don't think that's relevant here (especially since what I want to work does work on Centos 7+sssd)
I have an Ubuntu 14.04 box set up which I joined to domain "QA" via realmd. here's the actual command I used
realm join \ --install=/ \ --verbose \ --user=jsilverman@CORP.EXAMPLE.COM \ --client-software=sssd \ --membership-software=adcli \ --computer-ou="OU=Linux,OU=Servers,DC=qa,DC=example,DC=com" \ QA.EXAMPLE.COM
Running this command, realmd * creates a kerberos keytab * sets up sssd.conf * adds the computer to the OU specified in QA.EXAMPLE.COM
I then went in and added another domain to sssd.conf to configure CORP. When done, I have the following config files:
** File /etc/sssd.conf **:
[sssd] domains = qa.example.com config_file_version = 2 services = nss, pam
[domain/qa.example.com] ad_domain = qa.example.com krb5_realm = QA.EXAMPLE.COM realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = False fallback_homedir = /srv/home/%u access_provider = ad enumerate = True
[domain/corp.example.com] ad_domain = corp.example.com krb5_realm = CORP.EXAMPLE.COM realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = False fallback_homedir = /srv/home/%u access_provider = ad enumerate = True
** File /etc/krb5.conf **:
[libdefaults] default_realm = QA.EXAMPLE.COM
[realms] QA.EXAMPLE.COM = { kdc = qadc01a.example.com kdc = qadc01b.example.com admin_server = qadc01a.example.com } CORP.EXAMPLE.COM = { kdc = corpdc01a.it.example.com kdc = corpdc01b.it.example.com admin_server = corpdc01a.it.example.com }
[domain_realm] .qa.example.com = QA.EXAMPLE.COM qa.example.com = QA.EXAMPLE.COM .corp.example.com = CORP.EXAMPLE.COM corp.example.com = CORP.EXAMPLE.COM
** File /etc/realmd.conf **: [service] automatic-install = no
[users] default-home = /srv/home/%U default-shell = /bin/bash
[qa.example.com] computer-ou = OU=Servers,OU=Linux,DC=qa,DC=example,DC=com automatic-id-mapping = yes fully-qualified-names = no
[corp.example.com] automatic-id-mapping = yes fully-qualified-names = no
Finally, when I do all this on Centos 7, I am able to find users in both domains, and I'm able to authenticate as those users from both domains. Example , *on Centos 7*:
# getent passwd jsilverman@corp.example.com jsilverman@corp.example.com:*:363201124:363201124:Jeff Silverman:/srv/home/jsilverman:/bin/bash # getent passwd qatestadmin qatestadmin:*:277401105:277400513:QA Test Admin:/srv/home/qatestadmin:/bin/bash # getent passwd qatestadmin@qa.example.com qatestadmin:*:277401105:277400513:QA Test Admin:/srv/home/qatestadmin:/bin/bash
HOWEVER, when I do all this on Ubuntu 14.04, OR on Ubuntu 16.04, I can only see users from the QA domain.
# getent passwd jsilverman@corp.example.com ## (Note: there is no output from this command) # getent passwd qatestadmin qatestadmin:*:277401105:277400513:QA Test Admin:/srv/home/qatestadmin:/bin/bash # getent passwd qatestadmin@qa.example.com qatestadmin:*:277401105:277400513:QA Test Admin:/srv/home/qatestadmin:/bin/bash
Please advise!
btw this was also filed as a ticket, so I replied there.
On 15 Sep 2017, at 18:25, Jeff Silverman jeffrey.d.silverman@gmail.com wrote:
Hi! Please help. Everything I've read has stated that this should work, but it does not. On ubuntu, that is. I set up a Centos 7 box and this *did* work. I've tried this on
- Ubuntu 14.04 with sssd 1.11.8 (from the default Ubuntu 14.04 repos) -- didn't work
- Ubuntu 14.04 with sssd 1.13.4 (from a PPA) -- also didn't work
- Centos 7 with sssd 1.14.0 -- This worked!
- Ubuntu 16.04 with sssd 1.13.4 -- this did not work
*Description*
I have two Active Directory domains in the same forest.
- Domain "CORP"
- Domain "QA"
I have 2-way trusts set up between the domains.
"Real users" are all in CORP
Authorization into QA is handled with AD Universal Groups, but I don't think that's relevant here (especially since what I want to work does work on Centos 7+sssd)
I have an Ubuntu 14.04 box set up which I joined to domain "QA" via realmd. here's the actual command I used
realm join \ --install=/ \ --verbose \ --user=jsilverman@CORP.EXAMPLE.COM \ --client-software=sssd \ --membership-software=adcli \ --computer-ou="OU=Linux,OU=Servers,DC=qa,DC=example,DC=com" \ QA.EXAMPLE.COM
Running this command, realmd
- creates a kerberos keytab
- sets up sssd.conf
- adds the computer to the OU specified in QA.EXAMPLE.COM
I then went in and added another domain to sssd.conf to configure CORP. When done, I have the following config files:
** File /etc/sssd.conf **:
[sssd] domains = qa.example.com config_file_version = 2 services = nss, pam
[domain/qa.example.com] ad_domain = qa.example.com krb5_realm = QA.EXAMPLE.COM realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = False fallback_homedir = /srv/home/%u access_provider = ad enumerate = True
[domain/corp.example.com] ad_domain = corp.example.com krb5_realm = CORP.EXAMPLE.COM realmd_tags = manages-system joined-with-adcli cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = False fallback_homedir = /srv/home/%u access_provider = ad enumerate = True
** File /etc/krb5.conf **:
[libdefaults] default_realm = QA.EXAMPLE.COM
[realms] QA.EXAMPLE.COM = { kdc = qadc01a.example.com kdc = qadc01b.example.com admin_server = qadc01a.example.com } CORP.EXAMPLE.COM = { kdc = corpdc01a.it.example.com kdc = corpdc01b.it.example.com admin_server = corpdc01a.it.example.com }
[domain_realm] .qa.example.com = QA.EXAMPLE.COM qa.example.com = QA.EXAMPLE.COM .corp.example.com = CORP.EXAMPLE.COM corp.example.com = CORP.EXAMPLE.COM
** File /etc/realmd.conf **: [service] automatic-install = no
[users] default-home = /srv/home/%U default-shell = /bin/bash
[qa.example.com] computer-ou = OU=Servers,OU=Linux,DC=qa,DC=example,DC=com automatic-id-mapping = yes fully-qualified-names = no
[corp.example.com] automatic-id-mapping = yes fully-qualified-names = no
Finally, when I do all this on Centos 7, I am able to find users in both domains, and I'm able to authenticate as those users from both domains. Example , *on Centos 7*:
# getent passwd jsilverman@corp.example.com jsilverman@corp.example.com:*:363201124:363201124:Jeff Silverman:/srv/home/jsilverman:/bin/bash # getent passwd qatestadmin qatestadmin:*:277401105:277400513:QA Test Admin:/srv/home/qatestadmin:/bin/bash # getent passwd qatestadmin@qa.example.com qatestadmin:*:277401105:277400513:QA Test Admin:/srv/home/qatestadmin:/bin/bash
HOWEVER, when I do all this on Ubuntu 14.04, OR on Ubuntu 16.04, I can only see users from the QA domain.
# getent passwd jsilverman@corp.example.com ## (Note: there is no output from this command) # getent passwd qatestadmin qatestadmin:*:277401105:277400513:QA Test Admin:/srv/home/qatestadmin:/bin/bash # getent passwd qatestadmin@qa.example.com qatestadmin:*:277401105:277400513:QA Test Admin:/srv/home/qatestadmin:/bin/bash
Please advise! _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
thanks. I didn't want to cross-post but I wasn't sure what the best approach was. I'll follow up in bug tracker
sssd-users@lists.fedorahosted.org
-
Jakub Hrozek -
Jeff Silverman