Hi all,

I'm trying to configure SSSD to access several domains at the same time and I'm not able to achieve that.

The two domains are A.DOMAIN.TLD and B.DOMAIN.TLD.

Using that krb5.conf I can't retrieve any user from any domain:
---------------------------
[libdefaults]
        default_realm = A.DOMAIN.TLD
        dns_lookup_realm = true
        dns_lookup_kdc = true
        rdns_lookup_kdc = false
        realm_try_domains = 0

[realms]
A.DOMAIN.TLD = {
        default_domain = A.DOMAIN.TLD
}
B.DOMAIN.TLD = {
        default_domain = B.DOMAIN.TLD
}

[domain_realm]
.a.domain.tld = .A.DOMAIN.TLD
a.domain.tld = A.DOMAIN.TLD
.b.domain.tld = .B.DOMAIN.TLD
b.domain.tld = B.DOMAIN.TLD
-----------------------------

Using this krb5.conf I can retrieve users from A.DOMAIN.TLD:
---------------------------
[libdefaults]
        default_realm = A.DOMAIN.TLD
        dns_lookup_realm = true
        dns_lookup_kdc = true
        rdns_lookup_kdc = false
---------------------------

And the sssd.conf is in both cases:
---------------------------
[sssd]
services = nss, pam
config_file_version = 2
domains = a.domain.tld, b.domain.tld

[nss]

[pam]

[domain/a.domain.tld]
id_provider = ldap
ldap_schema = rfc2307bis
ldap_referrals = false
ldap_uri = ldap://adc.a.domain.tld
ldap_search_base = dc=A,dc=DOMAIN,dc=TLD
ldap_force_upper_case_realm = true

# See man sssd-simple
access_provider = simple
# Uncomment to check for account expiration in DC
# access_provider = ldap
# ldap_access_order = expire
# ldap_account_expire_policy = ad

# Enumeration is discouraged for performance reasons.
# enumerate = true

auth_provider = krb5
chpass_provider = krb5
ldap_sasl_mech = gssapi
ldap_sasl_authid = adc$@A.DOMAIN.TLD
krb5_realm = A.DOMAIN.TLD
krb5_server = adc.a.domain.tld
krb5_kpasswd = adc.a.domain.tld
ldap_krb5_keytab = /etc/krb5.sssd_multi.keytab

ldap_user_object_class = user
#ldap_user_name = sAMAccountName
ldap_user_name = userPrincipalName
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_user_shell = loginShell

ldap_group_object_class = group

[domain/b.domain.tld]
id_provider = ldap
ldap_schema = rfc2307bis
ldap_referrals = false
ldap_uri = ldap://bdc.b.domain.tld
ldap_search_base = dc=B,dc=DOMAIN,dc=TLD
ldap_force_upper_case_realm = true

# See man sssd-simple
access_provider = simple
# Uncomment to check for account expiration in DC
# access_provider = ldap
# ldap_access_order = expire
# ldap_account_expire_policy = ad

# Enumeration is discouraged for performance reasons.
# enumerate = true

auth_provider = krb5
chpass_provider = krb5
ldap_sasl_mech = gssapi
ldap_sasl_authid = bdc$@B.DOMAIN.TLD
krb5_realm = B.DOMAIN.TLD
krb5_server = dc.b.domain.tld
krb5_kpasswd = dc.b.domain.tld
ldap_krb5_keytab = /etc/krb5.sssd_multi.keytab

ldap_user_object_class = user
#ldap_user_name = sAMAccountName
ldap_user_name = userPrincipalName
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_user_shell = loginShell

ldap_group_object_class = group
---------------------------

Best regards,

mathias