> Date: Mon, 16 Sep 2013 15:59:09 +0200
> From: jhrozek@redhat.com
> To: sssd-users@lists.fedorahosted.org
> Subject: Re: [SSSD-users] authenticating against all sub-domains in AD forest
>
> On Mon, Sep 16, 2013 at 01:45:17PM +0000, a t wrote:
> >
> >
> > > Date: Mon, 16 Sep 2013 15:22:47 +0200
> > > From: jhrozek@redhat.com
> > > To: sssd-users@lists.fedorahosted.org
> > > Subject: Re: [SSSD-users] authenticating against all sub-domains in AD forest
> > >
> > > On Mon, Sep 16, 2013 at 01:17:22PM +0000, a t wrote:
> > > > Hi,
> > > >
> > > > I am testing find a standard config for Linux authentication against Active Directory and I am testing with Centos 6. I have decided on a SSSD/Kerberos/LDAP configuration as described in RedHats "Integrating Red Hat Enterprise Linux 6 with Active Directory" section 6.3.
> > > > http://www.redhat.com/rhecm/rest-rhecm/jcr/repository/collaboration/jcr:system/jcr:versionStorage/ae40084d0a052601783f1ea42715cdef/26/jcr:frozenNode/rh:resourceFile
> > > >
> > > > It works very well but for the one domain in our forest i.e. b.domain.org. However, users of other domains in the forest can not be authenticated. This is understandable as I have pointed all the config files at the child domains DC's, i.e. dc1.b.domain.org rather than dc1.domain.org. I have been searching for example configurations which will authenticate any user in the forest even though the Linux installation is joined to a different child domain but not found any.
> > > >
> > > > Scenario I would like to implement;
> > > >
> > > > Linux installation hostname = lin1lin1 joined to domain b.domain.orgusers from b.domain.org can login to lin1.b.doamin.orgusers from all child domains of domain.org can log into lin1.b.domain.org. for example a.domain.org, c.domain.org or z.domain.org
> > > >
> > > > I have attached my current config files as a reference. They work for a single domain rather than the whole forest. I suppose I am stuck whether to add each AD child domain as separate domains in SSSD and REALMS in kerberos or if I can get it to see the whole forest.
> > > >
> > > >
> > > > Thanks for any help / pointers,
> > > >
> > > >
> > > > Matthew
> > > >
> > > >
> > >
> > > Hi Matthew,
> > >
> > > this feature is only supported starting with 1.10 upstream..
> > >
> > > Even on RHEL-6 I would recommend trying out the AD provider, not the
> > > AD/Kerberos provider combo.
> > > _______________________________________________
> > > sssd-users mailing list
> > > sssd-users@lists.fedorahosted.org
> > > https://lists.fedorahosted.org/mailman/listinfo/sssd-users
> >
> > Thank you very much for the speedy reply. I'll take another look at the AD provider and keep an eye on future sssd versions.
> >
>
> If you're mostly interested in testing, we build our nighlies even for
> RHEL6:
> http://jdennis.fedorapeople.org/ipa-devel/ipa-devel-rhel.repo
>
> But tread lightly, it's really a development snapshot :)
> _______________________________________________
> sssd-users mailing list
> sssd-users@lists.fedorahosted.org
> https://lists.fedorahosted.org/mailman/listinfo/sssd-users

Hi Jakub,

I installed sssd.x86_64 1.11.1-0.20130912T1711Zgit10bc88a.el6 from the repo you mentioned above. I installed on the same machine using the same config files. All works as expected with no issues I can see.

I am going to try to setup sssd with AD provider on a clean VM. 2 questions;
  1) I want a certain amount of SSO - mounting a windows share with no manual authentication based on windows permissions. According to http://www.freeipa.org/images/d/dd/Freeipa30_sssd-ad-provider.pdf this is not available until 1.10. I see there is a stable 1.11 in a repo or would I need to build from source? I am happy to use the nightly build repo for now and testing but if I roll it out I would obviously want to use a stable version.
  2) Are the example configs in http://www.freeipa.org/images/d/dd/Freeipa30_sssd-ad-provider.pdf still valid in 1.10+ for an AD provider set-up?

Thanks for your help!

Matthew