On Wed, 2016-07-27 at 16:16 +0200, Petr Spacek wrote:
On 27.7.2016 15:55, Joakim Tjernlund wrote:
>
> We are migrating to a new domain AD domain and I got cross domain trust
problems(there is a bidirectional
> cross trust between the two ADs, how can I test this works from Linux?). All users
in domain A
> has been copied to domain B(using the same UID/GID as in domain A).
>
> I have managed to configure sssd for both domains(lets call the old domain A and the
new B),
> joined to both domains and I can login using any of the 2 domains.
>
> But here is the problem:
> If I use the new domain(B) as default login domain, I cannot ssh to another system
still in domain A
> password less(without entering my password again) or access files on NFS mounted
files exported from
> domain A.
>
> I know very little about cross trust etc. so I want to ask:
> 1) Is this even possible?
> 2) I have no idea where to start looking for what went wrong, need som pointers.
>
> We are using sssd 1.13.4 on the new domain B machines while servers
> in domain A uses an older sssd(1.12.5)
The first step is to verify that system joined to domain B can get keys for
domain A.
Log in to a system joined to domain B as some user from domain B. Then run
this command:
$ kvno host/<hostname of a system joined to a system in domain A>
It should print some number. If it prints an error use command
$ KRB5_TRACE=/dev/stdout kvno host/<the same hostname>
and see what went wrong. It would indicate a problem on Kerberos level.
This works for both myhost@A and myhost@B so I guess all is good.
If this works, looks at the target system (joined to domain A) and see its logs.
If you want to treat user1@domainA and user2@domainB as equal you might need
to tweak Kerberos mapping from principals to local users, see
https://web.mit.edu/kerberos/krb5-1.14/doc/admin/conf_files/krb5_conf.htm...
and edit krb5.conf to suit your needs.
In server@A or newhost@B ?
One thing that works though is ssh from server@A to newhost@B (no passwd needed) but
ssh newhost@B to server@A fail(asks for passwd).
I guess this could be because newhost@B is joined to both domains and sssd is configured
for both
domains ?
Jocke