What is the appropriate way to configure sssd to use krb5 and authenticate users against a domain controller with a one-way trust to another domain?
In other words:
I join the Linux system to the domain "DOMA." There is a one-way trust between "DOMA" and "DOMB." I am able to log into a Windows server joined to DOMA with DOMB\MyUserName. The Linux system joined to the domain uses a computer account as the Kerberos principal to do the binds with.
I'm not really sure in this scenario how I would craft my sssd.conf to perform the appropriate authentication. I'm actually having trouble even figuring out how my krb5.conf should look too. Any help?
Thanks!
Greg Wojtak Sr. Unix Systems Engineer Office: (313) 373-4306 Cell: (734) 718-8472
On 09/11/2012 03:06 PM, Wojtak, Greg (Superfly) wrote:
What is the appropriate way to configure sssd to use krb5 and authenticate users against a domain controller with a one-way trust to another domain?
In other words:
I join the Linux system to the domain "DOMA." There is a one-way trust between "DOMA" and "DOMB." I am able to log into a Windows server joined to DOMA with DOMB\MyUserName. The Linux system joined to the domain uses a computer account as the Kerberos principal to do the binds with.
I'm not really sure in this scenario how I would craft my sssd.conf to perform the appropriate authentication. I'm actually having trouble even figuring out how my krb5.conf should look too. Any help?
Thanks!
This will be possible only in the following conditions: 1. SSSD 1.9 or later (beta 7 released upstream recently) 2. Linux system is joined to IPA 3.0 or later (beta 3 released upstream recently) 3. User is from AD 4. AD and IPA are in two way or one way trust (IPA trusts AD).
More details on how to set it up see on http://freeipa.org/page/IPAv3_testing_AD_trust You are also welcome to join a Fedora test day http://fedoraproject.org/wiki/QA/Fedora_18_test_days to test this functionality later this month. The date on the page if not going to hold, it is probably going to be slipped by one or two weeks.
HTH
Greg Wojtak Sr. Unix Systems Engineer Office: (313) 373-4306 Cell: (734) 718-8472
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users@lists.fedorahosted.org