2:06 p.m.
What is the appropriate way to configure sssd to use krb5 and authenticate users against a
domain controller with a one-way trust to another domain?
In other words:
I join the Linux system to the domain "DOMA." There is a one-way trust between
"DOMA" and "DOMB." I am able to log into a Windows server joined to
DOMA with DOMB\MyUserName. The Linux system joined to the domain uses a computer account
as the Kerberos principal to do the binds with.
I'm not really sure in this scenario how I would craft my sssd.conf to perform the
appropriate authentication. I'm actually having trouble even figuring out how my
krb5.conf should look too. Any help?
Thanks!
Greg Wojtak
Sr. Unix Systems Engineer
Office: (313) 373-4306
Cell: (734) 718-8472
5:34 p.m.
On 09/11/2012 03:06 PM, Wojtak, Greg (Superfly) wrote:
What is the appropriate way to configure sssd to use krb5 and
authenticate users against a domain controller with a one-way trust to another domain?
In other words:
I join the Linux system to the domain "DOMA." There is a one-way trust between
"DOMA" and "DOMB." I am able to log into a Windows server joined to
DOMA with DOMB\MyUserName. The Linux system joined to the domain uses a computer account
as the Kerberos principal to do the binds with.
I'm not really sure in this scenario how I would craft my sssd.conf to perform the
appropriate authentication. I'm actually having trouble even figuring out how my
krb5.conf should look too. Any help?
Thanks!
This will be possible only in the following conditions:
1. SSSD 1.9 or later (beta 7 released upstream recently)
2. Linux system is joined to IPA 3.0 or later (beta 3 released upstream
recently)
3. User is from AD
4. AD and IPA are in two way or one way trust (IPA trusts AD).
More details on how to set it up see on
http://freeipa.org/page/IPAv3_testing_AD_trust
You are also welcome to join a Fedora test day
http://fedoraproject.org/wiki/QA/Fedora_18_test_days to test this
functionality later this month. The date on the page if not going to
hold, it is probably going to be slipped by one or two weeks.
HTH
Greg Wojtak
Sr. Unix Systems Engineer
Office: (313) 373-4306
Cell: (734) 718-8472
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
--
Thank you,
Dmitri Pal
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
4107
days inactive
4107
days old
sssd-users@lists.fedorahosted.org
1 comments
2 participants
participants (2)
-
Dmitri Pal -
Wojtak, Greg (Superfly)