I've previously only used sssd in a much simpler situation, on a
single-domain AD forest with no additional complications. Now, I'm trying
to make it work with the following:
1. Forest (
vvu.edu) with two domains (
vvu.edu, the root domain) and
vae.vvu.edu (child domain), with the default two-way trust between the
domains. For reasons of Windows system management and user experience, I
can't easily break the domain trust or put all users in the root domain.
2. Linux system with sssd, preferably Debian or Ubuntu, tied to the child
domain. CentOS and RHEL may be a possibility later. I assume any working
version number of sssd will work identically on any platform.
3. As far as the Linux system is concerned, all user accounts in the root
domain are normal, unprivileged end-user accounts. These should get a
shell of /usr/bin/rssh.
4. The only user accounts in the child domain are for system
administrators. Accounts in the AD group 'server-admins' should get a
shell of /bin/bash.
I got hints from both
https://fedorahosted.org/sssd/wiki/DesignDocs/ActiveDirectoryAccessControl
and
http://serverfault.com/a/577885 , but I'm stuck without a complete
solution.
For a test case on Debian 8, sssd 1.11.7-3, my sssd.conf has contents of:
[sssd]
#domains = admins_vae,
vae.vvu.edu
domains =
vae.vvu.edu
config_file_version = 2
services = nss, pam
[
domain/vae.vvu.edu]
id_provider = ad
ad_domain =
vae.vvu.edu
override_homedir = /home/vvu.edu/%u
default_shell = /usr/bin/rssh
[domain/admins_vae]
id_provider = ad
ad_domain =
vae.vvu.edu
override_homedir = /home/vae.vvu.edu/%u
default_shell = /bin/bash
#access_provider = simple
#simple_allow_groups = server-admins
access_provider = ad
ad_access_filter =
memberOf=cn=server-admins,ou=groups,dc=vae,dc=vvu,dc=edu
and testing with this configuration returns:
root@files:~# getent group server-admins
server-admins:*:225001113:_renfro
root@files:~# getent passwd renfro(a)vvu.edu
renfro@vvu.edu:*:927801103:927801103:renfro:/home/vvu.edu/renfro:/usr/bin/r
ssh
root@files:~# getent passwd _renfro(a)vae.vvu.edu
_renfro:*:225001109:225000513:_renfro:/home/vvu.edu/_renfro:/usr/bin/rssh
root@files:~# getent passwd _renfro
_renfro:*:225001109:225000513:_renfro:/home/vvu.edu/_renfro:/usr/bin/rssh
where the group membership is correct and the single enabled sssd domain
provides NSS information as instructed.
After changing the list of domains in sssd.conf to use **both** the
vae_admins domain and the
vae.vvu.edu one, both users end up getting admin
settings, instead of the admin user getting the admin setting, and the
regular user getting his original setting:
root@files:~# getent group server-admins
server-admins:*:225001113:_renfro
root@files:~# getent passwd _renfro
_renfro:*:225001109:225000513:_renfro:/home/vae.vvu.edu/_renfro:/bin/bash
root@files:~# getent passwd renfro(a)vvu.edu
renfro@vvu.edu:*:927801103:927801103:renfro:/home/vae.vvu.edu/renfro:/bin/b
ash
I get identical results with the simple access provider, too (both users
get admin settings). Where can I go from here? Thanks in advance for any
help.
--
Mike Renfro / R&D Engineer, Center for Manufacturing Research,
931 372-3601 / Tennessee Technological University