On Fri, Feb 17, 2017 at 09:23:14PM -0000, smfrench(a)gmail.com wrote:
I haven't been able to find much useful information on how sssd
(if at all) handles child domains in Active Directory.
If you join an AD domain, presumably you can authenticate any users in
the children domains, but what happens when you do "getent" do you expect to
see users of the child domain reflected in the getent (since you are joined
to the parent)? Do you expect to always be able to lookup users SIDs and
UIDs from the children of the domains you joined? What about the parents?
Yes, at least direct child domains in the same forest should be visible
and we (our RH QE team) test this for every release.
1) just "getent passwd" (enumerating all users) doesn't work by
default. Directly resolving a user (getent passwd username@domain)
2) the names in the subdomains need to be fully qualified
3) not all 'topologies' are supported with SSSD because SSSD at the
moment (unlike winbind) only uses LDAP calls to discover the
domains. See for example: