On 11/12/2014 05:26 PM, Karim wrote:
Hi Team,
i have a very complex/large AD setup which SSSD successfully
integrated the Linux machine onto it.
now after acquiring another company we have to integrate a
separate AD forest which is now trusted by our forest root.
I understand that SSSD won't work with external trusts and only
support the same forest.
what is the best practice to allow authentication from the new
trusted forest.
on my test lab
I added the new forest to a new domain section, then used adcli
to create a computer account on the new forest.
so technically this Linux machine is now joined to two domains
klist -k show correct entries for both forests
nothing i changed in krb5.conf
my tests are positive and i was able to login both forests from
my Linux machine.
is this supported scenario and what is the best practice when
having external trust?.
Yes it is so far is the only option how it can be done. There is no
HowTo because so far no one actually did this in open and shared.
I am not sure I get the second part of your question.
Are you asking how to do do it with two forests? The answer is
define two domains as you did it.
If you asking what would be done in future then once we implement
https://fedorahosted.org/sssd/ticket/2078 you would need just a
single domain.
HTH
any detailed guidance will be highly appreciated (no
documentation about this except for IPA which we don't use)
Thanks
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IdM portfolio
Red Hat, Inc.