Thanks for your reply.
I was originally using the LDAP as the id_provider but it was suggested I tried the AD id_provider. The nice advantage of the AD id_provider was that the keytab was created automatically. When I used the LDAP provider I had to create it on the AD DC.
I'll have another go at the LDAP provider and check I had all domains / subdomains in sssd.conf and krb5.conf.
From: karagol@aselsan.com.tr
To: sssd-users@lists.fedorahosted.org
Date: Tue, 19 Nov 2013 12:28:46 +0200
Subject: Re: [SSSD-users] authenticating against all sub-domains in AD forest
We have similar windows AD forest:
company.com
(forest root doman)
subA.company.com
(subdomain)
subB.company.com
(subdomain)
I am using ldap as
id_provider:
id_provider =
ldap
if you are using
ldap as id_provider you must have 3 domain section in
sssd.conf:
[sssd]
domains =
company.com, subA.company.com, subB.company.com
...
[domain/company.com]
....
[domain/subA.company.com]
...
[domain/subB.company.com]
....
in short: for each
domain you have to have domian section. additionaly your krb5.conf file must
include all domains.
if you are using
"id_provider = ad", I think only root domain section is sufficent, but I didnt
try before. But in any case you have to have 3 domains in krb5.conf I
think.
Taner
KARAGOL
u can mail to
karagol at gmail for additional information.
> > > > >
> > > > > > Date: Mon, 16
Sep 2013 15:22:47 +0200
> > > > > > From:
jhro...@redhat.com
> > > > > > To:
sssd-users@lists.fedorahosted.org
> > > > > > Subject: Re:
[SSSD-users] authenticating against all sub-domains in
> > > >
> > AD forest
> > > > > >
> > > >
> > On Mon, Sep 16, 2013 at 01:17:22PM +0000, a t wrote:
> > >
> > > > Hi,
> > > > > > >
> > >
> > > > I am testing find a standard config for Linux authentication
> > > > > > > against Active Directory and I am testing
with Centos 6. I have
> > > > > > > decided on a
SSSD/Kerberos/LDAP configuration as described in
> > > > >
> > RedHats "Integrating Red Hat Enterprise Linux 6 with Active
>
> > > > > > Directory" section 6.3.
> > > >
> > >
http://www.redhat.com/rhecm/rest-rhecm/jcr/repository/collaboration/jcr:system/jcr:versionStorage/ae40084d0a052601783f1ea42715cdef/26/jcr:frozenNode/rh:resourceFile>
> > > > > >
> > > > > > > It works
very well but for the one domain in our forest i.e.
> > > > >
> > b.domain.org. However, users of other domains in the forest can
> > > > > > > not be authenticated. This is
understandable as I have pointed
> > > > > > > all the
config files at the child domains DC's, i.e.
> > > > > >
> dc1.b.domain.org rather than dc1.domain.org. I have been
> > >
> > > > searching for example configurations which will authenticate
any
> > > > > > > user in the forest even though the
Linux installation is joined
> > > > > > > to a
different child domain but not found any.
> > > > > > >
> > > > > > > Scenario I would like to
implement;
> > > > > > >
> > > > >
> > Linux installation hostname = lin1lin1 joined to domain
> >
> > > > > b.domain.orgusers from b.domain.org can login to
> > > > > > > lin1.b.doamin.orgusers from all child
domains of domain.org can
> > > > > > > log into
lin1.b.domain.org. for example a.domain.org,
> > > > > >
> c.domain.org or z.domain.org
> > > > > > >
> > > > > > > I have attached my current config files
as a reference. They work
> > > > > > > for a single
domain rather than the whole forest. I suppose I am
> > > > >
> > stuck whether to add each AD child domain as separate domains in
> > > > > > > SSSD and REALMS in kerberos or if I can
get it to see the whole
> > > > > > > forest.
>
> > > > > >
> > > > > > >
>
> > > > > > Thanks for any help / pointers,
> > >
> > > >
> > > > > > >
> > >
> > > > Matthew
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users