Rob, All

I have put into sssd.conf another domain in ldap acces_/auth_/id_ / ldap_uri/ldap_access_filter .. in my IPA client host

When I come,first, to this IPA client host in root user and start command : su - user-from-other-domainBBB, or su - user-in-other-domainBBB@OTHER-REALM-BBB, its running fine with NSS/SSSD config. module.

But i cannot access directly from ssh command as: ssh user-from-other-domainBBB@ipa-client-hostAAA , or ssh user-in-other-domainBBB@OTHER-REAL-BBB@ipa-client-hosAAA

The pb comes from SSH config. / SSSD ([ssh]) / ...?

Can you help me ?

Bien à vous

Mr Karim Bourenane

Le mer. 9 nov. 2022 à 08:13, Karim Bourenane <karim.bourenane@gmail.com> a écrit :

Hello Rob, all

Thank you for your reply.
I have several and separate domain/realm server and client.

My goal is to manage ( by devops teams only) all server's OS (IPA server + IPA Client), inside or outside my AAA.com domain.
For the inside domain, no pb.
But outside domains, I need to know how I can do easeyer.
I don't want to create the same devops teams account's for all domains.

How do you manage your outside servers domain ? by ssh key ?
Or what is the best way to do ?

I need to configure the sssd.conf with other domain's ?
Merge the krb5 keytab file for the kerberos management ticket ?

Thank you for your help.
Bien à vous
Mr Karim Bourenane

Le mar. 8 nov. 2022 à 22:29, Rob Crittenden <rcritten@redhat.com> a écrit :
Karim Bourenane via FreeIPA-users wrote:
> Hello Team
>
> Im on CentOS 7.9, with IPA server under 4.6.8.
> My IPA server manages a domain/realm AAA.com.I would like it to be
> accessible also via ssh from another domain/realm BBB.com and also to
> use Kerberos token from BBB.comto use sudo management.
>
> It possible ?
>
> How should I proceed?If you could help me please.

It sounds like you are trying to trust a different IPA domain. That is
not currently supported.

rob