On 09/11/2012 03:06 PM, Wojtak, Greg (Superfly) wrote:
What is the appropriate way to configure sssd to use krb5 and
authenticate users against a domain controller with a one-way trust to another domain?
In other words:
I join the Linux system to the domain "DOMA." There is a one-way trust between
"DOMA" and "DOMB." I am able to log into a Windows server joined to
DOMA with DOMB\MyUserName. The Linux system joined to the domain uses a computer account
as the Kerberos principal to do the binds with.
I'm not really sure in this scenario how I would craft my sssd.conf to perform the
appropriate authentication. I'm actually having trouble even figuring out how my
krb5.conf should look too. Any help?
This will be possible only in the following conditions:
1. SSSD 1.9 or later (beta 7 released upstream recently)
2. Linux system is joined to IPA 3.0 or later (beta 3 released upstream
3. User is from AD
4. AD and IPA are in two way or one way trust (IPA trusts AD).
More details on how to set it up see on
You are also welcome to join a Fedora test day
to test this
functionality later this month. The date on the page if not going to
hold, it is probably going to be slipped by one or two weeks.
Sr. Unix Systems Engineer
Office: (313) 373-4306
Cell: (734) 718-8472
sssd-users mailing list
Sr. Engineering Manager for IdM portfolio
Red Hat Inc.
Looking to carve out IT costs?