On Wed, Apr 06, 2016 at 10:43:22AM -0400, Chadwick Banning wrote:
Hi all,
I have an interesting situation that I couldn't find and definitive
information on.
I have a parent AD domain (
ad.example.com) and a child domain (
child.ad.example.com). I have a machine joined to the child domain (
machine.child.ad.example.com). This machine has no access to the parent
domain controllers, only the child domain controllers can access the parent
domain controllers.
Should user accounts in the
ad.example.com domain be able to authenticate
to machine.child.ad.example.com? Will
machine.child.ad.example.com attempt
to connect to the DCs in
ad.example.com to authenticate the login? Or will
this "parent account-in-child domain" authentication be handled by the
child DC contacting the parent DC as part of the trust?
I admit I don't have too much time to test this, so I will speculate a
bit, but I don't think this scenario would work well with SSSD at the
moment.
When SSSD is enrolled with a child domain, we still try to contact the
forest root to read the full forest topology, because a child domain
only knows about itself and the forest root. OK, that can be worked
around, but then we wouldn't know the other domain's SID and we wouldn't
know how to map the SIDs to IDs. If you use POSIX attributes, then you
could replicate them to GC and SSSD would at least for some lookups use
the global catalog for lookups, but not for all, group membership is not
stored in GC except for universal groups I think. Maybe reading the
memberhips from the PAC could help, but again, we don't have the SID for
the trusted domain.
I wonder if winbind would fare better here since it might be able to
read the info it needs using RPC calls..but as I said, I don't have the
time at the moment to test that, sorry..