We have similar windows AD forest: company.com (forest root doman) subA.company.com (subdomain) subB.company.com (subdomain)
I am using ldap as id_provider: id_provider = ldap
if you are using ldap as id_provider you must have 3 domain section in sssd.conf:
[sssd] domains = company.com, subA.company.com, subB.company.com ... [domain/company.com] .... [domain/subA.company.com] ... [domain/subB.company.com] ....
in short: for each domain you have to have domian section. additionaly your krb5.conf file must include all domains.
if you are using "id_provider = ad", I think only root domain section is sufficent, but I didnt try before. But in any case you have to have 3 domains in krb5.conf I think.
Taner KARAGOL u can mail to karagol at gmail for additional information.
Date: Mon, 16 Sep 2013 15:22:47 +0200 From: jhro...@redhat.com To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] authenticating against all sub-domains in AD forest
On Mon, Sep 16, 2013 at 01:17:22PM +0000, a t wrote: > Hi, > > I am testing find a standard config for Linux authentication > against Active Directory and I am testing with Centos 6. I have > decided on a SSSD/Kerberos/LDAP configuration as described in > RedHats "Integrating Red Hat Enterprise Linux 6 with Active > Directory" section 6.3. > http://www.redhat.com/rhecm/rest-rhecm/jcr/repository/collaboration/jcr:syst... > > It works very well but for the one domain in our forest i.e. > b.domain.org. However, users of other domains in the forest can > not be authenticated. This is understandable as I have pointed > all the config files at the child domains DC's, i.e. > dc1.b.domain.org rather than dc1.domain.org. I have been > searching for example configurations which will authenticate any > user in the forest even though the Linux installation is joined > to a different child domain but not found any. > > Scenario I would like to implement; > > Linux installation hostname = lin1lin1 joined to domain > b.domain.orgusers from b.domain.org can login to > lin1.b.doamin.orgusers from all child domains of domain.org can > log into lin1.b.domain.org. for example a.domain.org, > c.domain.org or z.domain.org > > I have attached my current config files as a reference. They work > for a single domain rather than the whole forest. I suppose I am > stuck whether to add each AD child domain as separate domains in > SSSD and REALMS in kerberos or if I can get it to see the whole > forest. > > > Thanks for any help / pointers, > > > Matthew
Hi,
Thanks for your reply.
I was originally using the LDAP as the id_provider but it was suggested I tried the AD id_provider. The nice advantage of the AD id_provider was that the keytab was created automatically. When I used the LDAP provider I had to create it on the AD DC.
I'll have another go at the LDAP provider and check I had all domains / subdomains in sssd.conf and krb5.conf.
Are you linux clients joined to subdomains rather than the parent domain?
Thanks,
Matt
From: karagol@aselsan.com.tr To: sssd-users@lists.fedorahosted.org Date: Tue, 19 Nov 2013 12:28:46 +0200 Subject: Re: [SSSD-users] authenticating against all sub-domains in AD forest
We have similar windows AD forest: company.com (forest root doman) subA.company.com (subdomain) subB.company.com (subdomain)
I am using ldap as id_provider: id_provider = ldap
if you are using ldap as id_provider you must have 3 domain section in sssd.conf:
[sssd] domains = company.com, subA.company.com, subB.company.com ... [domain/company.com] .... [domain/subA.company.com] ... [domain/subB.company.com] ....
in short: for each domain you have to have domian section. additionaly your krb5.conf file must include all domains.
if you are using "id_provider = ad", I think only root domain section is sufficent, but I didnt try before. But in any case you have to have 3 domains in krb5.conf I think.
Taner KARAGOL u can mail to karagol at gmail for additional information.
Date: Mon, 16
Sep 2013 15:22:47 +0200
From:
jhro...@redhat.com
To:
sssd-users@lists.fedorahosted.org
Subject: Re:
[SSSD-users] authenticating against all sub-domains in
AD forest
On Mon, Sep 16, 2013 at 01:17:22PM +0000, a t wrote:
Hi,
>
I am testing find a standard config for Linux authentication
> against Active Directory and I am testing
with Centos 6. I have
> decided on a
SSSD/Kerberos/LDAP configuration as described in
RedHats "Integrating Red Hat Enterprise Linux 6 with Active
Directory" section 6.3.
http://www.redhat.com/rhecm/rest-rhecm/jcr/repository/collaboration/jcr:syst...
> It works
very well but for the one domain in our forest i.e.
b.domain.org. However, users of other domains in the forest can
> not be authenticated. This is
understandable as I have pointed
> all the
config files at the child domains DC's, i.e.
dc1.b.domain.org rather than dc1.domain.org. I have been
searching for example configurations which will authenticate
any
> user in the forest even though the
Linux installation is joined
> to a
different child domain but not found any.
>
> Scenario I would like to
implement;
>
Linux installation hostname = lin1lin1 joined to domain
b.domain.orgusers from b.domain.org can login to
> lin1.b.doamin.orgusers from all child
domains of domain.org can
> log into
lin1.b.domain.org. for example a.domain.org,
c.domain.org or z.domain.org
>
> I have attached my current config files
as a reference. They work
> for a single
domain rather than the whole forest. I suppose I am
stuck whether to add each AD child domain as separate domains in
> SSSD and REALMS in kerberos or if I can
get it to see the whole
> forest.
>
Thanks for any help / pointers,
>
Matthew
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users@lists.fedorahosted.org
-
a t -
Taner KARAGÖL