it's getting interesting,
I setup the production lab and was able to authenticate against the new forest DC fine
but getent group NEWFOREST\\GROUPNAME return 0 results
i compiled latest SSSD on RHEL 6.6
the error i see in the log exactly match this
https://bugzilla.redhat.com/show_bug.cgi?id=1002592 when i resolve group in the first forest it works fine, when i try the new forest it return 0 results and thing my provider is offline although it is not!
any pointer is appreciated
Thanks
From: karim.said@windowslive.com
To: sssd-users@lists.fedorahosted.org
Subject: sssd and external trust
Date: Wed, 12 Nov 2014 14:26:21 -0800
Hi Team,
i have a very complex/large AD setup which SSSD successfully integrated the Linux machine onto it.
now after acquiring another company we have to integrate a separate AD forest which is now trusted by our forest root.
I understand that SSSD won't work with external trusts and only support the same forest.
what is the best practice to allow authentication from the new trusted forest.
on my test lab
I added the new forest to a new domain section, then used adcli to create a computer account on the new forest.
so technically this Linux machine is now joined to two domains
klist -k show correct entries for both forests
nothing i changed in krb5.conf
my tests are positive and i was able to login both forests from my Linux machine.
is this supported scenario and what is the best practice when having external trust?.
any detailed guidance will be highly appreciated (no documentation about this except for IPA which we don't use)
Thanks