Hi List,
I am using sssd-1.13 to authenticate my linux clients against Active Directory. Got this working too.
Now we have an incoming one way trust from another domain. So here is the scenario:
AD1: dom1.com - One-way incoming trust from AD2. AD2: dom2.com - One-way outgoing trust to AD1. LinuxClient1: member of AD1/dom1.com Can lookup User1(Created in AD1/DOM1): Linux1>$id AD1\User1 - OK Can't lookup User2(Created in AD2/DOM2) Linux1>$id AD2\User2 - Not OK. SSSD is configured with AD1 domain.
Is this kind of configuration possible with SSSD and sssd-ad provider because i am able to achieve the above using likewise but not sssd. Please show some light on this.
Regards, Parth
On Tue, Mar 01, 2016 at 12:10:30AM -0000, kprprl@gmail.com wrote:
Hi List,
I am using sssd-1.13 to authenticate my linux clients against Active Directory. Got this working too.
Now we have an incoming one way trust from another domain. So here is the scenario:
AD1: dom1.com - One-way incoming trust from AD2. AD2: dom2.com - One-way outgoing trust to AD1. LinuxClient1: member of AD1/dom1.com Can lookup User1(Created in AD1/DOM1): Linux1>$id AD1\User1 - OK Can't lookup User2(Created in AD2/DOM2) Linux1>$id AD2\User2 - Not OK. SSSD is configured with AD1 domain.
Is this kind of configuration possible with SSSD and sssd-ad provider because i am able to achieve the above using likewise but not sssd. Please show some light on this.
Not supported at the moment short of joining the client to the two forests and defining two [domain] sections.
It's planned but we're not there yet: https://fedorahosted.org/sssd/ticket/2078
Hi Jakub,
Thanks for the prompt reply. I understood that cross forest transitive trust is not possible with sssd right now. But can we make this realistic by introducing freeipa with sssd? I've checked there documentation seems like they only support domains in a forest not and to another forest. Is this even possible without creating a trust with the second domain directly using freeipa?
Regards, Parth
On Tue, Mar 1, 2016 at 6:21 PM, Jakub Hrozek jhrozek@redhat.com wrote:
On Tue, Mar 01, 2016 at 12:10:30AM -0000, kprprl@gmail.com wrote:
Hi List,
I am using sssd-1.13 to authenticate my linux clients against Active
Directory.
Got this working too.
Now we have an incoming one way trust from another domain. So here is the scenario:
AD1: dom1.com - One-way incoming trust from AD2. AD2: dom2.com - One-way outgoing trust to AD1. LinuxClient1: member of AD1/dom1.com Can lookup User1(Created in AD1/DOM1): Linux1>$id AD1\User1 - OK Can't lookup User2(Created in AD2/DOM2) Linux1>$id AD2\User2 - Not OK. SSSD is configured with AD1 domain.
Is this kind of configuration possible with SSSD and sssd-ad provider
because i am able to achieve the above using likewise but not sssd.
Please show some light on this.
Not supported at the moment short of joining the client to the two forests and defining two [domain] sections.
It's planned but we're not there yet: https://fedorahosted.org/sssd/ticket/2078 _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
On Wed, Mar 02, 2016 at 01:20:24AM +1100, PARTH MONGA wrote:
Hi Jakub,
Thanks for the prompt reply. I understood that cross forest transitive trust is not possible with sssd right now. But can we make this realistic by introducing freeipa with sssd? I've checked there documentation seems like they only support domains in a forest not and to another forest. Is this even possible without creating a trust with the second domain directly using freeipa?
Yes, you can create separate trust agreements with both forests.
Without creating direct separate trust agreement there is no way out ? So its like freeipa and sssd stands on same page here. Both of them learns trust relationships within a forest. :(
On Wed, Mar 2, 2016 at 1:30 AM, Jakub Hrozek jhrozek@redhat.com wrote:
On Wed, Mar 02, 2016 at 01:20:24AM +1100, PARTH MONGA wrote:
Hi Jakub,
Thanks for the prompt reply. I understood that cross forest transitive trust is not possible with sssd right now. But can we make this realistic by introducing freeipa with sssd? I've checked there documentation seems like they only support domains in
a
forest not and to another forest. Is this even possible without creating a trust with the second domain directly using freeipa?
Yes, you can create separate trust agreements with both forests. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
On Wed, 2016-03-02 at 01:20 +1100, PARTH MONGA wrote:
Hi Jakub,
Thanks for the prompt reply. I understood that cross forest transitive trust is not possible with sssd right now. But can we make this realistic by introducing freeipa with sssd? I've checked there documentation seems like they only support domains in a forest not and to another forest. Is this even possible without creating a trust with the second domain directly using freeipa?
The Windows cross-forest trust model does not allow transitive trusts across forests. This is not a limitation of FreeIPA, it's by Microsoft's design (based on various security reasons).
Simo.
Regards, Parth
On Tue, Mar 1, 2016 at 6:21 PM, Jakub Hrozek jhrozek@redhat.com wrote:
On Tue, Mar 01, 2016 at 12:10:30AM -0000, kprprl@gmail.com wrote:
Hi List,
I am using sssd-1.13 to authenticate my linux clients against Active
Directory.
Got this working too.
Now we have an incoming one way trust from another domain. So here is the scenario:
AD1: dom1.com - One-way incoming trust from AD2. AD2: dom2.com - One-way outgoing trust to AD1. LinuxClient1: member of AD1/dom1.com Can lookup User1(Created in AD1/DOM1): Linux1>$id AD1\User1 - OK Can't lookup User2(Created in AD2/DOM2) Linux1>$id AD2\User2 - Not OK. SSSD is configured with AD1 domain.
Is this kind of configuration possible with SSSD and sssd-ad provider
because i am able to achieve the above using likewise but not sssd.
Please show some light on this.
Not supported at the moment short of joining the client to the two forests and defining two [domain] sections.
It's planned but we're not there yet: https://fedorahosted.org/sssd/ticket/2078 _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
sssd-users@lists.fedorahosted.org