Hi,
Using SSSD 1.14.2 on RHEL6, users from a different than the joined
domain are only resolved when specifying the domain. As an exmaple:
Joined domain "northamerica", the user uniq_user_A@northamerica can be
resolved using: getent passwd uniq_user_A
But uniq_user_B in domain "europe" can ONLY be resolved using: getent
passwd europe\\unique_user_B
Where I would expect that getent passwd uniq_user_B would also work
(see my configuration file attached below).
Diving into the sssd log files, it seems that when specifying just
"uniq_user_B", the DC's are contacted for the europe domain; which it
can't access since it's not in the kerberos keytab. When specifying
europe\\uniq_user_B it's SSSD seems to contact the DC's for the
northamerica
domain instead; the domain it's joined and that's also in the kerberos
keytab.
To solve this issue I added the europe DC's also to het keytab by
changing the domain/realm in the smb.conf and krb5.conf to europe and
re-ran the
net ads join command. Once they are added, and thus also listed by klist
-k, I can now resolve users in both domain without specifying their
domain.
Like: getent passwd uniq_user_B
I wonder if this is the normal behaviour, because if the server is
joined to the northamerica domain, and getent passwd europe\\uniq_user_B
works, I would
expect that it would be possible to run getent passwd uniq_user_B also
without having to add extra domains to the keytab.
The sssd.conf I used:
[sssd]
services = nss, pam
config_file_version = 2
debug_level = 7
domains =
northamerica.example.net,europe.example.net
default_shell = /bin/bash
[nss]
debug_level = 7
default_shell = /bin/bash
filter_users = root
filter_groups = root
reconnection_retries = 3
entry_cache_timeout = 300
entry_cache_nowait_percentage = 75
override_shell = /bin/bash
[pam]
debug_level = 7
[
domain/northamerica.example.net]
id_provider = ad
subdomains_provider = none
ad_domain =
northamerica.example.net
krb5_realm =
NORTHAMERICA.EXAMPLE.NET
use_fully_qualified_names = False
debug_level = 7
auth_provider = ad
chpass_provider = ad
access_provider = ad
cache_credentials = true
ldap_idmap_range_size = 2000000
ldap_idmap_default_domain_sid = S-1-5-21-1757981266-299502267-1801674531
ldap_idmap_default_domain =
northamerica.example.net
[
domain/europe.example.net]
id_provider = ad
subdomains_provider = none
ad_domain =
europe.example.net
krb5_realm =
EUROPE.EXAMPLE.NET
use_fully_qualified_names = False
debug_level = 7
auth_provider = ad
chpass_provider = ad
access_provider = ad
cache_credentials = true
ldap_idmap_range_size = 2000000
ldap_idmap_default_domain_sid = S-1-5-21-507921405-813497703-1202660629
ldap_idmap_default_domain =
europe.example.net
The krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm =
NORTHAMERICA.EXAMPLE.NET
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
Johan Postema.