On 27.7.2016 15:55, Joakim Tjernlund wrote:
We are migrating to a new domain AD domain and I got cross domain
trust problems(there is a bidirectional
cross trust between the two ADs, how can I test this works from Linux?). All users in
has been copied to domain B(using the same UID/GID as in domain A).
I have managed to configure sssd for both domains(lets call the old domain A and the new
joined to both domains and I can login using any of the 2 domains.
But here is the problem:
If I use the new domain(B) as default login domain, I cannot ssh to another system still
in domain A
password less(without entering my password again) or access files on NFS mounted files
exported from domain A.
I know very little about cross trust etc. so I want to ask:
1) Is this even possible?
2) I have no idea where to start looking for what went wrong, need som pointers.
We are using sssd 1.13.4 on the new domain B machines while servers
in domain A uses an older sssd(1.12.5)
The first step is to verify that system joined to domain B can get keys for
Log in to a system joined to domain B as some user from domain B. Then run
$ kvno host/<hostname of a system joined to a system in domain A>
It should print some number. If it prints an error use command
$ KRB5_TRACE=/dev/stdout kvno host/<the same hostname>
and see what went wrong. It would indicate a problem on Kerberos level.
If this works, looks at the target system (joined to domain A) and see its logs.
If you want to treat user1@domainA and user2@domainB as equal you might need
to tweak Kerberos mapping from principals to local users, see
and edit krb5.conf to suit your needs.
I hope it helps.
Petr Spacek @ Red Hat