SSSD (unless you specify subdomain-provider=none) tries to reach forest DCs upon its
initialization to discover network sites/etc.
So if machines in child.ad.example.com
can not contact controllers in ad.example.com
guess is it simply won't work as SSSD would not be able to discover domain controllers
for the child site.
From: Jakub Hrozek [mailto:firstname.lastname@example.org]
Sent: Thursday, April 07, 2016 5:57 PM
Subject: [SSSD-users] Re: SSSD and AD trusts
On Wed, Apr 06, 2016 at 10:43:22AM -0400, Chadwick Banning wrote:
I have an interesting situation that I couldn't find and definitive
I have a parent AD domain (ad.example.com
) and a child domain (
). I have a machine joined to the child domain (
). This machine has no access to the
parent domain controllers, only the child domain controllers can
access the parent domain controllers.
Should user accounts in the ad.example.com
domain be able to
authenticate to machine.child.ad.example.com? Will
attempt to connect to the DCs in
to authenticate the login? Or will this "parent
account-in-child domain" authentication be handled by the child DC contacting the
parent DC as part of the trust?
I admit I don't have too much time to test this, so I will speculate a bit, but I
don't think this scenario would work well with SSSD at the moment.
When SSSD is enrolled with a child domain, we still try to contact the forest root to read
the full forest topology, because a child domain only knows about itself and the forest
root. OK, that can be worked around, but then we wouldn't know the other domain's
SID and we wouldn't know how to map the SIDs to IDs. If you use POSIX attributes, then
you could replicate them to GC and SSSD would at least for some lookups use the global
catalog for lookups, but not for all, group membership is not stored in GC except for
universal groups I think. Maybe reading the memberhips from the PAC could help, but again,
we don't have the SID for the trusted domain.
I wonder if winbind would fare better here since it might be able to read the info it
needs using RPC calls..but as I said, I don't have the time at the moment to test
sssd-users mailing list
The information contained in this e-mail and in any attachments is confidential and is
designated solely for the attention of the intended recipient(s). If you are not an
intended recipient, you must not use, disclose, copy, distribute or retain this e-mail or
any part thereof. If you have received this e-mail in error, please notify the sender by
return e-mail and delete all copies of this e-mail from your computer system(s). Please
direct any additional queries to: communications(a)s3group.com. Thank You. Silicon and
Software Systems Limited (S3 Group). Registered in Ireland no. 378073. Registered Office:
South County Business Park, Leopardstown, Dublin 18.