Hi,
Can anyone confirm for me if SSSD supports authentication of users belonging to a trusted domain via an AD controller in the trusting domain?
ie. A user attempts to log in as fred@test1.example.com on a client machine running SSSD, where SSSD has joined a domain test2.example.com and there is a 2-way forest trust between both domains. Is this supported? I've been trying to do so and so far it hasn't been working.
For the record, my setup is:
AD controller domain test1: Windows server 2012 R2 AD controller domain test2: Windows server 2012 R2 Ubuntu 14.04 client running SSSD 1.12.5
Thanks, Guy
On Fri, Aug 12, 2016 at 04:51:41PM -0700, Guy Knights wrote:
Hi,
Can anyone confirm for me if SSSD supports authentication of users belonging to a trusted domain via an AD controller in the trusting domain?
ie. A user attempts to log in as fred@test1.example.com on a client machine running SSSD, where SSSD has joined a domain test2.example.com and there is a 2-way forest trust between both domains. Is this supported? I've been trying to do so and so far it hasn't been working.
As long as the two domains are in the same forest, then yes, you just need to use the fully qualified name.
For the record, my setup is:
AD controller domain test1: Windows server 2012 R2 AD controller domain test2: Windows server 2012 R2 Ubuntu 14.04 client running SSSD 1.12.5
But I would recommend to use something newer on the client side (1.13+)
Is there any option to configure a trust when the domains are NOT in the same forest? Has anyone tried this yet, maybe with kerberos?
I have an implementation where the stalling factor is going to be cross-forest one-way trusts, would be keen to find out if anyone else has tried this.
Cheers,
Jay
On 15 Aug, 2016, at 04:17, Jakub Hrozek jhrozek@redhat.com wrote:
On Fri, Aug 12, 2016 at 04:51:41PM -0700, Guy Knights wrote:
Hi,
Can anyone confirm for me if SSSD supports authentication of users belonging to a trusted domain via an AD controller in the trusting domain?
ie. A user attempts to log in as fred@test1.example.com on a client machine running SSSD, where SSSD has joined a domain test2.example.com and there is a 2-way forest trust between both domains. Is this supported? I've been trying to do so and so far it hasn't been working.
As long as the two domains are in the same forest, then yes, you just need to use the fully qualified name.
For the record, my setup is:
AD controller domain test1: Windows server 2012 R2 AD controller domain test2: Windows server 2012 R2 Ubuntu 14.04 client running SSSD 1.12.5
But I would recommend to use something newer on the client side (1.13+) _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/admin/lists/sssd-users@lists.fedorahosted.org
sssd-users@lists.fedorahosted.org