Date: Mon, 16 Sep 2013 15:22:47 +0200
From: jhrozek(a)redhat.com
To: sssd-users(a)lists.fedorahosted.org
Subject: Re: [SSSD-users] authenticating against all sub-domains in AD forest
On Mon, Sep 16, 2013 at 01:17:22PM +0000, a t wrote:
> Hi,
>
> I am testing find a standard config for Linux authentication against Active
Directory and I am testing with Centos 6. I have decided on a SSSD/Kerberos/LDAP
configuration as described in RedHats "Integrating Red Hat Enterprise Linux 6 with
Active Directory" section 6.3.
>
http://www.redhat.com/rhecm/rest-rhecm/jcr/repository/collaboration/jcr:s...
>
> It works very well but for the one domain in our forest i.e.
b.domain.org. However,
users of other domains in the forest can not be authenticated. This is understandable as I
have pointed all the config files at the child domains DC's, i.e.
dc1.b.domain.org
rather than
dc1.domain.org. I have been searching for example configurations which will
authenticate any user in the forest even though the Linux installation is joined to a
different child domain but not found any.
>
> Scenario I would like to implement;
>
> Linux installation hostname = lin1lin1 joined to domain b.domain.orgusers from
b.domain.org can login to lin1.b.doamin.orgusers from all child domains of
domain.org can
log into
lin1.b.domain.org. for example
a.domain.org,
c.domain.org or
z.domain.org
>
> I have attached my current config files as a reference. They work for a single
domain rather than the whole forest. I suppose I am stuck whether to add each AD child
domain as separate domains in SSSD and REALMS in kerberos or if I can get it to see the
whole forest.
>
>
> Thanks for any help / pointers,
>
>
> Matthew
>
>
Hi Matthew,
this feature is only supported starting with 1.10 upstream..
Even on RHEL-6 I would recommend trying out the AD provider, not the
AD/Kerberos provider combo.
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Thank you very much for the speedy reply. I'll take another look at the AD provider
and keep an eye on future sssd versions.