I haven't been able to find much useful information on how sssd (if at all) handles child domains in Active Directory.
If you join an AD domain, presumably you can authenticate any users in the children domains, but what happens when you do "getent" do you expect to see users of the child domain reflected in the getent (since you are joined to the parent)? Do you expect to always be able to lookup users SIDs and UIDs from the children of the domains you joined? What about the parents?
On Fri, Feb 17, 2017 at 09:23:14PM -0000, smfrench@gmail.com wrote:
I haven't been able to find much useful information on how sssd (if at all) handles child domains in Active Directory.
If you join an AD domain, presumably you can authenticate any users in the children domains, but what happens when you do "getent" do you expect to see users of the child domain reflected in the getent (since you are joined to the parent)? Do you expect to always be able to lookup users SIDs and UIDs from the children of the domains you joined? What about the parents?
Yes, at least direct child domains in the same forest should be visible and we (our RH QE team) test this for every release.
But: 1) just "getent passwd" (enumerating all users) doesn't work by default. Directly resolving a user (getent passwd username@domain) should 2) the names in the subdomains need to be fully qualified 3) not all 'topologies' are supported with SSSD because SSSD at the moment (unlike winbind) only uses LDAP calls to discover the domains. See for example: https://fedorahosted.org/sssd/ticket/2763
sssd-users@lists.fedorahosted.org
-
Jakub Hrozek -
smfrench@gmail.com