On 07/30/2015 03:38 AM, Paul Becker wrote:
Dear Sir or Madam,
my college configured an external trust for our existing Active Directory. We have joined
our Linux Server using realmd and aren't able resolving any user IDs from the new
trusted domain using sssd. I am in fact able to get a Kerberos Ticket with credentials of
the trusted domain. Is this a known issue? Please let me know if I am able to provide any
futher information. Logfiles are attached to this mail.
- centos7 with sssd 1.12.2-58 joined to active directory domain 'content.zone'.
'content.zone' in turn trusts (one-way, external) the domain 'oew.de'.
I assume it is a cross forest trust.
SSSD does not support cross forest trusts.
It is unclear how soon we would be able to deliver this capability.
The workaround is to create an IdM domain, put your Linux clients into
that domain and establish forest trusts with both your AD domains. That
is known to work.
- 'id user(a)oew.de' gives the error message ' GSSAPI Error: Unspecified GSS
failure. Minor code may provide more information (Server not found in Kerberos
- resolving user(a)content.zone works without a hitch.
(Thu Jul 30 09:07:28 2015) [sssd[be[content.zone]]] [sasl_bind_send] (0x0080): Extended
failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor
code may provide more information (Server not found in Kerberos database)]
How to reproduce:
sudo realm join --user="administrator"
sudo systemctl stop sssd; sudo rm -rf /var/lib/sss/db/*; sudo systemctl start sssd
sssd-users mailing list
Engineering Director, Identity Management and Platform Security
Red Hat, Inc.