Hi,
I am trying to setup an authentication against Active Directory, with multiple domains, and I haven't been able to find the recommended way to do it (it is very possible I missed it...), so I am looking for explanation and advice.
With a master domain example.com, and subdomains sub1.example.com, sub2.example.com, etc, how would you setup sssd (and the linux system) to authenticate the users from all the domains ?
To give te example, my user is ad admin across all the forests ( my_user@example.com), and I want to authenticate on all the servers, smtp.example.com or proxy.sub1.example.com, etc. I also want on some computer to authenticate customer's account (my_customer@sub1.example.com).
For now, I have 2 different setups : - on computers from example.com [sssd] config_file_version = 2 debug_level =0 domains = example.com services = nss, pam [domain/example.com] enumerate = true dns_discovery_domain = cy2._sites.example.com debug_level = 8 id_provider = ad access_provider = ad ldap_id_mapping = false #dyndns_update = false
- on computer from sub1.example.com [sssd] config_file_version = 2 debug_level =0 domains = sub1.example.com,example.com services = nss, pam
[domain/example.com] enumerate = true dns_discovery_domain = cy2._sites.example.com debug_level = 9 id_provider = ad access_provider = ad ldap_id_mapping = false
[domain/sub1.example.com] enumerate = true dns_discovery_domain = cy2._sites.sub1.example.com debug_level = 7 id_provider = ad access_provider = ad ldap_id_mapping = false
I join computer to example.com or to sub1.example.com: adcli join example.com -U my_user@EXAMPLE.COM or adcli join sub1.example.com -U my_user@EXAMPLE.COM as I would do with an ordinary windows workstation.
And for AD, I use the posix attributes (and that may be the way...) so if a UID or GID exists in both domains, I happen to find wrong group names, etc.
I hope my questions are clear enough ! :-) What am I doing wrong ? What are the recommended settings for that situation ?
Thanks,
Jeremy
Hi,
Nobody has a clue on the best practices for AD domains with trust ? :-(
Regs,
Jeremy
On Mon, Oct 23, 2017 at 10:29 AM, Jeremy Monnet jmonnet@gmail.com wrote:
Hi,
I am trying to setup an authentication against Active Directory, with multiple domains, and I haven't been able to find the recommended way to do it (it is very possible I missed it...), so I am looking for explanation and advice.
With a master domain example.com, and subdomains sub1.example.com, sub2.example.com, etc, how would you setup sssd (and the linux system) to authenticate the users from all the domains ?
To give te example, my user is ad admin across all the forests ( my_user@example.com), and I want to authenticate on all the servers, smtp.example.com or proxy.sub1.example.com, etc. I also want on some computer to authenticate customer's account (my_customer@sub1.example.com) .
For now, I have 2 different setups :
- on computers from example.com
[sssd] config_file_version = 2 debug_level =0 domains = example.com services = nss, pam [domain/example.com] enumerate = true dns_discovery_domain = cy2._sites.example.com debug_level = 8 id_provider = ad access_provider = ad ldap_id_mapping = false #dyndns_update = false
- on computer from sub1.example.com
[sssd] config_file_version = 2 debug_level =0 domains = sub1.example.com,example.com services = nss, pam
[domain/example.com] enumerate = true dns_discovery_domain = cy2._sites.example.com debug_level = 9 id_provider = ad access_provider = ad ldap_id_mapping = false
[domain/sub1.example.com] enumerate = true dns_discovery_domain = cy2._sites.sub1.example.com debug_level = 7 id_provider = ad access_provider = ad ldap_id_mapping = false
I join computer to example.com or to sub1.example.com: adcli join example.com -U my_user@EXAMPLE.COM or adcli join sub1.example.com -U my_user@EXAMPLE.COM as I would do with an ordinary windows workstation.
And for AD, I use the posix attributes (and that may be the way...) so if a UID or GID exists in both domains, I happen to find wrong group names, etc.
I hope my questions are clear enough ! :-) What am I doing wrong ? What are the recommended settings for that situation ?
Thanks,
Jeremy
I'm sorry for the late reply, but we've all been busy finishing work on a RHEL update.
On Mon, Oct 23, 2017 at 10:29:13AM +0200, Jeremy Monnet wrote:
Hi,
I am trying to setup an authentication against Active Directory, with multiple domains, and I haven't been able to find the recommended way to do it (it is very possible I missed it...), so I am looking for explanation and advice.
With a master domain example.com, and subdomains sub1.example.com, sub2.example.com, etc, how would you setup sssd (and the linux system) to authenticate the users from all the domains ?
To give te example, my user is ad admin across all the forests ( my_user@example.com), and I want to authenticate on all the servers, smtp.example.com or proxy.sub1.example.com, etc. I also want on some computer to authenticate customer's account (my_customer@sub1.example.com).
For now, I have 2 different setups :
- on computers from example.com
[sssd] config_file_version = 2 debug_level =0 domains = example.com services = nss, pam [domain/example.com] enumerate = true dns_discovery_domain = cy2._sites.example.com debug_level = 8 id_provider = ad access_provider = ad ldap_id_mapping = false #dyndns_update = false
This should just work for all domains, SSSD should autodiscover all the trusted domains from the forest.
Instead of the dns_discovery_domain, you should use "ad_site = cy2"
If something does not work, please send logs, see https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html
But I would strongly recommend against enumerate=true both for performance reasons and because following the logs is then quite hard.
- on computer from sub1.example.com
[sssd] config_file_version = 2 debug_level =0 domains = sub1.example.com,example.com services = nss, pam
[domain/example.com] enumerate = true dns_discovery_domain = cy2._sites.example.com debug_level = 9 id_provider = ad access_provider = ad ldap_id_mapping = false
[domain/sub1.example.com] enumerate = true dns_discovery_domain = cy2._sites.sub1.example.com debug_level = 7 id_provider = ad access_provider = ad ldap_id_mapping = false
This should not be needed and is not completely correct either.
Defining each domain separately is a valid workaround for domains in different forests. It was also a valid workaround for older releases if only some domains were reachable, so you'd disable the automatic subdomain discovery with subdomain_provider=none and then create a separate domain entry for each trusted domain.
But with modern releases this should not be necessary, even if only the forest root and sub1.example.com are reachable, you could instead use "ad_enabled_domains = sub1.example.com,example.com"
But if the all domains are reachable, defining each domains should not be required and all users and groups from those domains should be resolvable.
sssd-users@lists.fedorahosted.org