On Sun, Jul 01, 2018 at 03:25:26PM -0500, Spike White wrote:
sssd subject matter experts,
Why is my sssd deployment not doing cross-subdomain AD authentication?
*Background:*
I have a parent AD domain
DELL.COM with trusted subdomains
AMER.DELL.COM,
APAC.DELL.COM,
EMEA.DELL.COM and
JAPN.DELL.COM Each subdomain has a
transitive trust with
DELL.COM.
So all subdomains trust each other.
I set up a first test VM deployment using sssd. I set up the cross
subdomain auth as in:
https://lists.fedorahosted.org/pipermail/sssd-users/2015-February/002648....
It worked great – allowed cross subdomain authentication. The only thing
it would not do was use tokengroups. That is, the VM was fully functional,
but I had to add ‘ldap_use_tokengroups = false’ to the sssd.conf file.
My AD experts have advised me that ‘tokengroups’ are an important AD
optimization and I should use them, if at all possible.
Using ldapsearch, I was able to verify that machine account didn’t have the
necessary privileges to query a user’s tokengroups. Thus, the fault was
mine – that this first sssd deployment couldn’t use tokengroups.
So I did another sssd deployment, using another test VM. Apparently, I did
the realm join command correct this time, as it’s able to use tokengroups.
BUT! This second test VM is not allowing cross subdomain authentication
and login. How do I fix this so that I have use of both tokengroups and
cross subdomain authentication?
...
If I do the same query on the bad VM (spikerealmd02):
[root@spikerealmd02 sssd]# id admjesse_chan
id: admjesse_chan: no such user
How do you know that tokengroups are working if the request fails and
the lookup is not recorded in the logs?
and I see nothing in the sssd_apac.dell.com.log file:
[root@spikerealmd02 sssd]# grep -i admjesse_chan sssd_apac.dell.com.log
[root@spikerealmd02 sssd]#
Do you see the user name in sssd_nss.log? If not, is 'sss' listed in the
passwd line of /etc/nsswitch.conf?
bye,
Sumit
Please help,
Spike
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahost...