> Date: Wed, 18 Sep 2013 10:34:03 +0200
> From: jhrozek(a)redhat.com
> To: sssd-users(a)lists.fedorahosted.org
> Subject: Re: [SSSD-users] authenticating against all sub-domains in AD forest
>
> On Tue, Sep 17, 2013 at 01:50:15PM +0000, a t wrote:
> >
> >
> > > Date: Mon, 16 Sep 2013 15:59:09 +0200
> > > From: jhrozek(a)redhat.com
> > > To: sssd-users(a)lists.fedorahosted.org
> > > Subject: Re: [SSSD-users] authenticating against all sub-domains in AD
forest
> > >
> > > On Mon, Sep 16, 2013 at 01:45:17PM +0000, a t wrote:
> > > >
> > > >
> > > > > Date: Mon, 16 Sep 2013 15:22:47 +0200
> > > > > From: jhrozek(a)redhat.com
> > > > > To: sssd-users(a)lists.fedorahosted.org
> > > > > Subject: Re: [SSSD-users] authenticating against all sub-domains
in AD forest
> > > > >
> > > > > On Mon, Sep 16, 2013 at 01:17:22PM +0000, a t wrote:
> > > > > > Hi,
> > > > > >
> > > > > > I am testing find a standard config for Linux
authentication against Active Directory and I am testing with Centos 6. I have decided on
a SSSD/Kerberos/LDAP configuration as described in RedHats "Integrating Red Hat
Enterprise Linux 6 with Active Directory" section 6.3.
> > > > > >
http://www.redhat.com/rhecm/rest-rhecm/jcr/repository/collaboration/jcr:s...
> > > > > >
> > > > > > It works very well but for the one domain in our forest
i.e.
b.domain.org. However, users of other domains in the forest can not be authenticated.
This is understandable as I have pointed all the config files at the child domains
DC's, i.e.
dc1.b.domain.org rather than
dc1.domain.org. I have been searching for
example configurations which will authenticate any user in the forest even though the
Linux installation is joined to a different child domain but not found any.
> > > > > >
> > > > > > Scenario I would like to implement;
> > > > > >
> > > > > > Linux installation hostname = lin1lin1 joined to domain
b.domain.orgusers from
b.domain.org can login to lin1.b.doamin.orgusers from all child
domains of
domain.org can log into
lin1.b.domain.org. for example
a.domain.org,
c.domain.org or
z.domain.org
> > > > > >
> > > > > > I have attached my current config files as a reference.
They work for a single domain rather than the whole forest. I suppose I am stuck whether
to add each AD child domain as separate domains in SSSD and REALMS in kerberos or if I can
get it to see the whole forest.
> > > > > >
> > > > > >
> > > > > > Thanks for any help / pointers,
> > > > > >
> > > > > >
> > > > > > Matthew
> > > > > >
> > > > > >
> > > > >
> > > > > Hi Matthew,
> > > > >
> > > > > this feature is only supported starting with 1.10 upstream..
> > > > >
> > > > > Even on RHEL-6 I would recommend trying out the AD provider, not
the
> > > > > AD/Kerberos provider combo.
> > > > > _______________________________________________
> > > > > sssd-users mailing list
> > > > > sssd-users(a)lists.fedorahosted.org
> > > > >
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
> > > >
> > > > Thank you very much for the speedy reply. I'll take another look
at the AD provider and keep an eye on future sssd versions.
> > > >
> > >
> > > If you're mostly interested in testing, we build our nighlies even
for
> > > RHEL6:
> > >
http://jdennis.fedorapeople.org/ipa-devel/ipa-devel-rhel.repo
> > >
> > > But tread lightly, it's really a development snapshot :)
> > > _______________________________________________
> > > sssd-users mailing list
> > > sssd-users(a)lists.fedorahosted.org
> > >
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
> >
> > Hi Jakub,
> >
> > I installed sssd.x86_64 1.11.1-0.20130912T1711Zgit10bc88a.el6 from the repo you
mentioned above. I installed on the same machine using the same config files. All works as
expected with no issues I can see.
> >
> > I am going to try to setup sssd with AD provider on a clean VM. 2 questions;
> > 1) I want a certain amount of SSO - mounting a windows share with
> > no manual authentication based on windows permissions. According to
> >
http://www.freeipa.org/images/d/dd/Freeipa30_sssd-ad-provider.pdf this is not
> > available until 1.10.
>
> Ah, I see you're referring to slide #11. I think the answer depends on
> what your requirements are.
>
> Login with SSSD gives you a TGT. If there is a client side
> infrastructure to mount a windows share based on Kerberos
> authentication, everything should just work. I think that's what you're
> referring to as SSO?
>
> But currently cifs-utils still require winbind for some tasks like modifying
> ACLs. Integrating with cifs-utils in order to avoid the winbind dependency
> completely is on the roadmap for 1.12 currently (the slides are about a
> year old and we shuffled the priorities a bit)
>
> See:
>
https://fedorahosted.org/sssd/wiki/DesignDocs/IntegrateSSSDWithCIFSClient
>
> > I see there is a stable 1.11 in a repo or would I need
> > to build from source? I am happy to use the nightly build repo for now and
> > testing but if I roll it out I would obviously want to use a stable version.
>
> Currently I'm not aware of a plan to rebase to a newer version in
> RHEL-6. I would say that backporting individual bugfixes or features is
> more likely.
>
> > 2) Are the example configs in
http://www.freeipa.org/images/d/dd/Freeipa30_sssd-ad-provider.pdf still valid in 1.10+ for
an AD provider set-up?
>
> Yes they are. You might also want to take a look at adcli from EPEL.
> (and realmd on Fedora and RHEL-7). These make configuring AD client
> really simple and user friendly.
> _______________________________________________
> sssd-users mailing list
> sssd-users(a)lists.fedorahosted.org
>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Hi ,
Thansk. I have the new VM setup with the ad_provider. Much simpler config!
The authentication for users on the local domain that the installation is joined to works
great. However I am in the same situation with other trusted domains in the forest not
being able to authenticate. Our domain structure is one parent domain which have a number
of sub-domains. Those sub-domains do not have any sub-domains themselves. All users are in
the subdomains. The parent domain only has the odd Admin and service user.
<image of domain structure>
the installation lin1 is joined to
b.domain.org. Users from
b.domain.org can login. Users
from
a.domain.org,
c.domain.org or
x.domain.org cannot login. I have tried adding domains
to sssd.conf and realms to krb5.conf but cannot get it to authenticate users from other
child domains.
krb5.conf, sssd.conf and smb.conf attached. Slao attached a portion of the sssd domain
log that occurs when trying an # id c\\user.name.
Can you try without "enumerate=true" in the config?
I think you might be hitting a known limitation (patches in progress..)