Hi,
I am testing find a standard config for Linux authentication against Active Directory and I am testing with Centos 6. I have decided on a SSSD/Kerberos/LDAP configuration as described in RedHats "Integrating Red Hat Enterprise Linux 6 with Active Directory" section 6.3. http://www.redhat.com/rhecm/rest-rhecm/jcr/repository/collaboration/jcr:syst...
It works very well but for the one domain in our forest i.e. b.domain.org. However, users of other domains in the forest can not be authenticated. This is understandable as I have pointed all the config files at the child domains DC's, i.e. dc1.b.domain.org rather than dc1.domain.org. I have been searching for example configurations which will authenticate any user in the forest even though the Linux installation is joined to a different child domain but not found any.
Scenario I would like to implement;
Linux installation hostname = lin1lin1 joined to domain b.domain.orgusers from b.domain.org can login to lin1.b.doamin.orgusers from all child domains of domain.org can log into lin1.b.domain.org. for example a.domain.org, c.domain.org or z.domain.org
I have attached my current config files as a reference. They work for a single domain rather than the whole forest. I suppose I am stuck whether to add each AD child domain as separate domains in SSSD and REALMS in kerberos or if I can get it to see the whole forest.
Thanks for any help / pointers,
Matthew
On Mon, Sep 16, 2013 at 01:17:22PM +0000, a t wrote:
Hi,
I am testing find a standard config for Linux authentication against Active Directory and I am testing with Centos 6. I have decided on a SSSD/Kerberos/LDAP configuration as described in RedHats "Integrating Red Hat Enterprise Linux 6 with Active Directory" section 6.3. http://www.redhat.com/rhecm/rest-rhecm/jcr/repository/collaboration/jcr:syst...
It works very well but for the one domain in our forest i.e. b.domain.org. However, users of other domains in the forest can not be authenticated. This is understandable as I have pointed all the config files at the child domains DC's, i.e. dc1.b.domain.org rather than dc1.domain.org. I have been searching for example configurations which will authenticate any user in the forest even though the Linux installation is joined to a different child domain but not found any.
Scenario I would like to implement;
Linux installation hostname = lin1lin1 joined to domain b.domain.orgusers from b.domain.org can login to lin1.b.doamin.orgusers from all child domains of domain.org can log into lin1.b.domain.org. for example a.domain.org, c.domain.org or z.domain.org
I have attached my current config files as a reference. They work for a single domain rather than the whole forest. I suppose I am stuck whether to add each AD child domain as separate domains in SSSD and REALMS in kerberos or if I can get it to see the whole forest.
Thanks for any help / pointers,
Matthew
Hi Matthew,
this feature is only supported starting with 1.10 upstream..
Even on RHEL-6 I would recommend trying out the AD provider, not the AD/Kerberos provider combo.
Date: Mon, 16 Sep 2013 15:22:47 +0200 From: jhrozek@redhat.com To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] authenticating against all sub-domains in AD forest
On Mon, Sep 16, 2013 at 01:17:22PM +0000, a t wrote:
Hi,
I am testing find a standard config for Linux authentication against Active Directory and I am testing with Centos 6. I have decided on a SSSD/Kerberos/LDAP configuration as described in RedHats "Integrating Red Hat Enterprise Linux 6 with Active Directory" section 6.3. http://www.redhat.com/rhecm/rest-rhecm/jcr/repository/collaboration/jcr:syst...
It works very well but for the one domain in our forest i.e. b.domain.org. However, users of other domains in the forest can not be authenticated. This is understandable as I have pointed all the config files at the child domains DC's, i.e. dc1.b.domain.org rather than dc1.domain.org. I have been searching for example configurations which will authenticate any user in the forest even though the Linux installation is joined to a different child domain but not found any.
Scenario I would like to implement;
Linux installation hostname = lin1lin1 joined to domain b.domain.orgusers from b.domain.org can login to lin1.b.doamin.orgusers from all child domains of domain.org can log into lin1.b.domain.org. for example a.domain.org, c.domain.org or z.domain.org
I have attached my current config files as a reference. They work for a single domain rather than the whole forest. I suppose I am stuck whether to add each AD child domain as separate domains in SSSD and REALMS in kerberos or if I can get it to see the whole forest.
Thanks for any help / pointers,
Matthew
Hi Matthew,
this feature is only supported starting with 1.10 upstream..
Even on RHEL-6 I would recommend trying out the AD provider, not the AD/Kerberos provider combo. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Thank you very much for the speedy reply. I'll take another look at the AD provider and keep an eye on future sssd versions.
On Mon, Sep 16, 2013 at 01:45:17PM +0000, a t wrote:
Date: Mon, 16 Sep 2013 15:22:47 +0200 From: jhrozek@redhat.com To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] authenticating against all sub-domains in AD forest
On Mon, Sep 16, 2013 at 01:17:22PM +0000, a t wrote:
Hi,
I am testing find a standard config for Linux authentication against Active Directory and I am testing with Centos 6. I have decided on a SSSD/Kerberos/LDAP configuration as described in RedHats "Integrating Red Hat Enterprise Linux 6 with Active Directory" section 6.3. http://www.redhat.com/rhecm/rest-rhecm/jcr/repository/collaboration/jcr:syst...
It works very well but for the one domain in our forest i.e. b.domain.org. However, users of other domains in the forest can not be authenticated. This is understandable as I have pointed all the config files at the child domains DC's, i.e. dc1.b.domain.org rather than dc1.domain.org. I have been searching for example configurations which will authenticate any user in the forest even though the Linux installation is joined to a different child domain but not found any.
Scenario I would like to implement;
Linux installation hostname = lin1lin1 joined to domain b.domain.orgusers from b.domain.org can login to lin1.b.doamin.orgusers from all child domains of domain.org can log into lin1.b.domain.org. for example a.domain.org, c.domain.org or z.domain.org
I have attached my current config files as a reference. They work for a single domain rather than the whole forest. I suppose I am stuck whether to add each AD child domain as separate domains in SSSD and REALMS in kerberos or if I can get it to see the whole forest.
Thanks for any help / pointers,
Matthew
Hi Matthew,
this feature is only supported starting with 1.10 upstream..
Even on RHEL-6 I would recommend trying out the AD provider, not the AD/Kerberos provider combo. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Thank you very much for the speedy reply. I'll take another look at the AD provider and keep an eye on future sssd versions.
If you're mostly interested in testing, we build our nighlies even for RHEL6: http://jdennis.fedorapeople.org/ipa-devel/ipa-devel-rhel.repo
But tread lightly, it's really a development snapshot :)
Date: Mon, 16 Sep 2013 15:59:09 +0200 From: jhrozek@redhat.com To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] authenticating against all sub-domains in AD forest
On Mon, Sep 16, 2013 at 01:45:17PM +0000, a t wrote:
Date: Mon, 16 Sep 2013 15:22:47 +0200 From: jhrozek@redhat.com To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] authenticating against all sub-domains in AD forest
On Mon, Sep 16, 2013 at 01:17:22PM +0000, a t wrote:
Hi,
I am testing find a standard config for Linux authentication against Active Directory and I am testing with Centos 6. I have decided on a SSSD/Kerberos/LDAP configuration as described in RedHats "Integrating Red Hat Enterprise Linux 6 with Active Directory" section 6.3. http://www.redhat.com/rhecm/rest-rhecm/jcr/repository/collaboration/jcr:syst...
It works very well but for the one domain in our forest i.e. b.domain.org. However, users of other domains in the forest can not be authenticated. This is understandable as I have pointed all the config files at the child domains DC's, i.e. dc1.b.domain.org rather than dc1.domain.org. I have been searching for example configurations which will authenticate any user in the forest even though the Linux installation is joined to a different child domain but not found any.
Scenario I would like to implement;
Linux installation hostname = lin1lin1 joined to domain b.domain.orgusers from b.domain.org can login to lin1.b.doamin.orgusers from all child domains of domain.org can log into lin1.b.domain.org. for example a.domain.org, c.domain.org or z.domain.org
I have attached my current config files as a reference. They work for a single domain rather than the whole forest. I suppose I am stuck whether to add each AD child domain as separate domains in SSSD and REALMS in kerberos or if I can get it to see the whole forest.
Thanks for any help / pointers,
Matthew
Hi Matthew,
this feature is only supported starting with 1.10 upstream..
Even on RHEL-6 I would recommend trying out the AD provider, not the AD/Kerberos provider combo. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Thank you very much for the speedy reply. I'll take another look at the AD provider and keep an eye on future sssd versions.
If you're mostly interested in testing, we build our nighlies even for RHEL6: http://jdennis.fedorapeople.org/ipa-devel/ipa-devel-rhel.repo
But tread lightly, it's really a development snapshot :) _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Hi Jakub,
I installed sssd.x86_64 1.11.1-0.20130912T1711Zgit10bc88a.el6 from the repo you mentioned above. I installed on the same machine using the same config files. All works as expected with no issues I can see.
I am going to try to setup sssd with AD provider on a clean VM. 2 questions; 1) I want a certain amount of SSO - mounting a windows share with no manual authentication based on windows permissions. According to http://www.freeipa.org/images/d/dd/Freeipa30_sssd-ad-provider.pdf this is not available until 1.10. I see there is a stable 1.11 in a repo or would I need to build from source? I am happy to use the nightly build repo for now and testing but if I roll it out I would obviously want to use a stable version. 2) Are the example configs in http://www.freeipa.org/images/d/dd/Freeipa30_sssd-ad-provider.pdf still valid in 1.10+ for an AD provider set-up?
Thanks for your help!
Matthew
On Tue, Sep 17, 2013 at 01:50:15PM +0000, a t wrote:
Date: Mon, 16 Sep 2013 15:59:09 +0200 From: jhrozek@redhat.com To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] authenticating against all sub-domains in AD forest
On Mon, Sep 16, 2013 at 01:45:17PM +0000, a t wrote:
Date: Mon, 16 Sep 2013 15:22:47 +0200 From: jhrozek@redhat.com To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] authenticating against all sub-domains in AD forest
On Mon, Sep 16, 2013 at 01:17:22PM +0000, a t wrote:
Hi,
I am testing find a standard config for Linux authentication against Active Directory and I am testing with Centos 6. I have decided on a SSSD/Kerberos/LDAP configuration as described in RedHats "Integrating Red Hat Enterprise Linux 6 with Active Directory" section 6.3. http://www.redhat.com/rhecm/rest-rhecm/jcr/repository/collaboration/jcr:syst...
It works very well but for the one domain in our forest i.e. b.domain.org. However, users of other domains in the forest can not be authenticated. This is understandable as I have pointed all the config files at the child domains DC's, i.e. dc1.b.domain.org rather than dc1.domain.org. I have been searching for example configurations which will authenticate any user in the forest even though the Linux installation is joined to a different child domain but not found any.
Scenario I would like to implement;
Linux installation hostname = lin1lin1 joined to domain b.domain.orgusers from b.domain.org can login to lin1.b.doamin.orgusers from all child domains of domain.org can log into lin1.b.domain.org. for example a.domain.org, c.domain.org or z.domain.org
I have attached my current config files as a reference. They work for a single domain rather than the whole forest. I suppose I am stuck whether to add each AD child domain as separate domains in SSSD and REALMS in kerberos or if I can get it to see the whole forest.
Thanks for any help / pointers,
Matthew
Hi Matthew,
this feature is only supported starting with 1.10 upstream..
Even on RHEL-6 I would recommend trying out the AD provider, not the AD/Kerberos provider combo. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Thank you very much for the speedy reply. I'll take another look at the AD provider and keep an eye on future sssd versions.
If you're mostly interested in testing, we build our nighlies even for RHEL6: http://jdennis.fedorapeople.org/ipa-devel/ipa-devel-rhel.repo
But tread lightly, it's really a development snapshot :) _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Hi Jakub,
I installed sssd.x86_64 1.11.1-0.20130912T1711Zgit10bc88a.el6 from the repo you mentioned above. I installed on the same machine using the same config files. All works as expected with no issues I can see.
I am going to try to setup sssd with AD provider on a clean VM. 2 questions;
- I want a certain amount of SSO - mounting a windows share with
no manual authentication based on windows permissions. According to http://www.freeipa.org/images/d/dd/Freeipa30_sssd-ad-provider.pdf this is not available until 1.10.
Ah, I see you're referring to slide #11. I think the answer depends on what your requirements are.
Login with SSSD gives you a TGT. If there is a client side infrastructure to mount a windows share based on Kerberos authentication, everything should just work. I think that's what you're referring to as SSO?
But currently cifs-utils still require winbind for some tasks like modifying ACLs. Integrating with cifs-utils in order to avoid the winbind dependency completely is on the roadmap for 1.12 currently (the slides are about a year old and we shuffled the priorities a bit)
See: https://fedorahosted.org/sssd/wiki/DesignDocs/IntegrateSSSDWithCIFSClient
I see there is a stable 1.11 in a repo or would I need to build from source? I am happy to use the nightly build repo for now and testing but if I roll it out I would obviously want to use a stable version.
Currently I'm not aware of a plan to rebase to a newer version in RHEL-6. I would say that backporting individual bugfixes or features is more likely.
- Are the example configs in http://www.freeipa.org/images/d/dd/Freeipa30_sssd-ad-provider.pdf still valid in 1.10+ for an AD provider set-up?
Yes they are. You might also want to take a look at adcli from EPEL. (and realmd on Fedora and RHEL-7). These make configuring AD client really simple and user friendly.
Date: Wed, 18 Sep 2013 10:34:03 +0200 From: jhrozek@redhat.com To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] authenticating against all sub-domains in AD forest
On Tue, Sep 17, 2013 at 01:50:15PM +0000, a t wrote:
Date: Mon, 16 Sep 2013 15:59:09 +0200 From: jhrozek@redhat.com To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] authenticating against all sub-domains in AD forest
On Mon, Sep 16, 2013 at 01:45:17PM +0000, a t wrote:
Date: Mon, 16 Sep 2013 15:22:47 +0200 From: jhrozek@redhat.com To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] authenticating against all sub-domains in AD forest
On Mon, Sep 16, 2013 at 01:17:22PM +0000, a t wrote:
Hi,
I am testing find a standard config for Linux authentication against Active Directory and I am testing with Centos 6. I have decided on a SSSD/Kerberos/LDAP configuration as described in RedHats "Integrating Red Hat Enterprise Linux 6 with Active Directory" section 6.3. http://www.redhat.com/rhecm/rest-rhecm/jcr/repository/collaboration/jcr:syst...
It works very well but for the one domain in our forest i.e. b.domain.org. However, users of other domains in the forest can not be authenticated. This is understandable as I have pointed all the config files at the child domains DC's, i.e. dc1.b.domain.org rather than dc1.domain.org. I have been searching for example configurations which will authenticate any user in the forest even though the Linux installation is joined to a different child domain but not found any.
Scenario I would like to implement;
Linux installation hostname = lin1lin1 joined to domain b.domain.orgusers from b.domain.org can login to lin1.b.doamin.orgusers from all child domains of domain.org can log into lin1.b.domain.org. for example a.domain.org, c.domain.org or z.domain.org
I have attached my current config files as a reference. They work for a single domain rather than the whole forest. I suppose I am stuck whether to add each AD child domain as separate domains in SSSD and REALMS in kerberos or if I can get it to see the whole forest.
Thanks for any help / pointers,
Matthew
Hi Matthew,
this feature is only supported starting with 1.10 upstream..
Even on RHEL-6 I would recommend trying out the AD provider, not the AD/Kerberos provider combo. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Thank you very much for the speedy reply. I'll take another look at the AD provider and keep an eye on future sssd versions.
If you're mostly interested in testing, we build our nighlies even for RHEL6: http://jdennis.fedorapeople.org/ipa-devel/ipa-devel-rhel.repo
But tread lightly, it's really a development snapshot :) _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Hi Jakub,
I installed sssd.x86_64 1.11.1-0.20130912T1711Zgit10bc88a.el6 from the repo you mentioned above. I installed on the same machine using the same config files. All works as expected with no issues I can see.
I am going to try to setup sssd with AD provider on a clean VM. 2 questions;
- I want a certain amount of SSO - mounting a windows share with
no manual authentication based on windows permissions. According to http://www.freeipa.org/images/d/dd/Freeipa30_sssd-ad-provider.pdf this is not available until 1.10.
Ah, I see you're referring to slide #11. I think the answer depends on what your requirements are.
Login with SSSD gives you a TGT. If there is a client side infrastructure to mount a windows share based on Kerberos authentication, everything should just work. I think that's what you're referring to as SSO?
But currently cifs-utils still require winbind for some tasks like modifying ACLs. Integrating with cifs-utils in order to avoid the winbind dependency completely is on the roadmap for 1.12 currently (the slides are about a year old and we shuffled the priorities a bit)
See: https://fedorahosted.org/sssd/wiki/DesignDocs/IntegrateSSSDWithCIFSClient
I see there is a stable 1.11 in a repo or would I need to build from source? I am happy to use the nightly build repo for now and testing but if I roll it out I would obviously want to use a stable version.
Currently I'm not aware of a plan to rebase to a newer version in RHEL-6. I would say that backporting individual bugfixes or features is more likely.
- Are the example configs in http://www.freeipa.org/images/d/dd/Freeipa30_sssd-ad-provider.pdf still valid in 1.10+ for an AD provider set-up?
Yes they are. You might also want to take a look at adcli from EPEL. (and realmd on Fedora and RHEL-7). These make configuring AD client really simple and user friendly. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Hi ,
Thansk. I have the new VM setup with the ad_provider. Much simpler config!
The authentication for users on the local domain that the installation is joined to works great. However I am in the same situation with other trusted domains in the forest not being able to authenticate. Our domain structure is one parent domain which have a number of sub-domains. Those sub-domains do not have any sub-domains themselves. All users are in the subdomains. The parent domain only has the odd Admin and service user.
<image of domain structure>
the installation lin1 is joined to b.domain.org. Users from b.domain.org can login. Users from a.domain.org, c.domain.org or x.domain.org cannot login. I have tried adding domains to sssd.conf and realms to krb5.conf but cannot get it to authenticate users from other child domains.
krb5.conf, sssd.conf and smb.conf attached. Slao attached a portion of the sssd domain log that occurs when trying an # id c\user.name.
Thanks,
Matthew
On Wed, Sep 18, 2013 at 11:55:52AM +0000, a t wrote:
Date: Wed, 18 Sep 2013 10:34:03 +0200 From: jhrozek@redhat.com To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] authenticating against all sub-domains in AD forest
On Tue, Sep 17, 2013 at 01:50:15PM +0000, a t wrote:
Date: Mon, 16 Sep 2013 15:59:09 +0200 From: jhrozek@redhat.com To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] authenticating against all sub-domains in AD forest
On Mon, Sep 16, 2013 at 01:45:17PM +0000, a t wrote:
Date: Mon, 16 Sep 2013 15:22:47 +0200 From: jhrozek@redhat.com To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] authenticating against all sub-domains in AD forest
On Mon, Sep 16, 2013 at 01:17:22PM +0000, a t wrote: > Hi, > > I am testing find a standard config for Linux authentication against Active Directory and I am testing with Centos 6. I have decided on a SSSD/Kerberos/LDAP configuration as described in RedHats "Integrating Red Hat Enterprise Linux 6 with Active Directory" section 6.3. > http://www.redhat.com/rhecm/rest-rhecm/jcr/repository/collaboration/jcr:syst... > > It works very well but for the one domain in our forest i.e. b.domain.org. However, users of other domains in the forest can not be authenticated. This is understandable as I have pointed all the config files at the child domains DC's, i.e. dc1.b.domain.org rather than dc1.domain.org. I have been searching for example configurations which will authenticate any user in the forest even though the Linux installation is joined to a different child domain but not found any. > > Scenario I would like to implement; > > Linux installation hostname = lin1lin1 joined to domain b.domain.orgusers from b.domain.org can login to lin1.b.doamin.orgusers from all child domains of domain.org can log into lin1.b.domain.org. for example a.domain.org, c.domain.org or z.domain.org > > I have attached my current config files as a reference. They work for a single domain rather than the whole forest. I suppose I am stuck whether to add each AD child domain as separate domains in SSSD and REALMS in kerberos or if I can get it to see the whole forest. > > > Thanks for any help / pointers, > > > Matthew > >
Hi Matthew,
this feature is only supported starting with 1.10 upstream..
Even on RHEL-6 I would recommend trying out the AD provider, not the AD/Kerberos provider combo. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Thank you very much for the speedy reply. I'll take another look at the AD provider and keep an eye on future sssd versions.
If you're mostly interested in testing, we build our nighlies even for RHEL6: http://jdennis.fedorapeople.org/ipa-devel/ipa-devel-rhel.repo
But tread lightly, it's really a development snapshot :) _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Hi Jakub,
I installed sssd.x86_64 1.11.1-0.20130912T1711Zgit10bc88a.el6 from the repo you mentioned above. I installed on the same machine using the same config files. All works as expected with no issues I can see.
I am going to try to setup sssd with AD provider on a clean VM. 2 questions;
- I want a certain amount of SSO - mounting a windows share with
no manual authentication based on windows permissions. According to http://www.freeipa.org/images/d/dd/Freeipa30_sssd-ad-provider.pdf this is not available until 1.10.
Ah, I see you're referring to slide #11. I think the answer depends on what your requirements are.
Login with SSSD gives you a TGT. If there is a client side infrastructure to mount a windows share based on Kerberos authentication, everything should just work. I think that's what you're referring to as SSO?
But currently cifs-utils still require winbind for some tasks like modifying ACLs. Integrating with cifs-utils in order to avoid the winbind dependency completely is on the roadmap for 1.12 currently (the slides are about a year old and we shuffled the priorities a bit)
See: https://fedorahosted.org/sssd/wiki/DesignDocs/IntegrateSSSDWithCIFSClient
I see there is a stable 1.11 in a repo or would I need to build from source? I am happy to use the nightly build repo for now and testing but if I roll it out I would obviously want to use a stable version.
Currently I'm not aware of a plan to rebase to a newer version in RHEL-6. I would say that backporting individual bugfixes or features is more likely.
- Are the example configs in http://www.freeipa.org/images/d/dd/Freeipa30_sssd-ad-provider.pdf still valid in 1.10+ for an AD provider set-up?
Yes they are. You might also want to take a look at adcli from EPEL. (and realmd on Fedora and RHEL-7). These make configuring AD client really simple and user friendly. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Hi ,
Thansk. I have the new VM setup with the ad_provider. Much simpler config!
The authentication for users on the local domain that the installation is joined to works great. However I am in the same situation with other trusted domains in the forest not being able to authenticate. Our domain structure is one parent domain which have a number of sub-domains. Those sub-domains do not have any sub-domains themselves. All users are in the subdomains. The parent domain only has the odd Admin and service user.
<image of domain structure>
the installation lin1 is joined to b.domain.org. Users from b.domain.org can login. Users from a.domain.org, c.domain.org or x.domain.org cannot login. I have tried adding domains to sssd.conf and realms to krb5.conf but cannot get it to authenticate users from other child domains.
krb5.conf, sssd.conf and smb.conf attached. Slao attached a portion of the sssd domain log that occurs when trying an # id c\user.name.
Can you try without "enumerate=true" in the config?
I think you might be hitting a known limitation (patches in progress..)
Date: Fri, 20 Sep 2013 14:44:49 +0200 From: jhrozek@redhat.com To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] authenticating against all sub-domains in AD forest
On Wed, Sep 18, 2013 at 11:55:52AM +0000, a t wrote:
Date: Wed, 18 Sep 2013 10:34:03 +0200 From: jhrozek@redhat.com To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] authenticating against all sub-domains in AD forest
On Tue, Sep 17, 2013 at 01:50:15PM +0000, a t wrote:
Date: Mon, 16 Sep 2013 15:59:09 +0200 From: jhrozek@redhat.com To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] authenticating against all sub-domains in AD forest
On Mon, Sep 16, 2013 at 01:45:17PM +0000, a t wrote:
> Date: Mon, 16 Sep 2013 15:22:47 +0200 > From: jhrozek@redhat.com > To: sssd-users@lists.fedorahosted.org > Subject: Re: [SSSD-users] authenticating against all sub-domains in AD forest > > On Mon, Sep 16, 2013 at 01:17:22PM +0000, a t wrote: > > Hi, > > > > I am testing find a standard config for Linux authentication against Active Directory and I am testing with Centos 6. I have decided on a SSSD/Kerberos/LDAP configuration as described in RedHats "Integrating Red Hat Enterprise Linux 6 with Active Directory" section 6.3. > > http://www.redhat.com/rhecm/rest-rhecm/jcr/repository/collaboration/jcr:syst... > > > > It works very well but for the one domain in our forest i.e. b.domain.org. However, users of other domains in the forest can not be authenticated. This is understandable as I have pointed all the config files at the child domains DC's, i.e. dc1.b.domain.org rather than dc1.domain.org. I have been searching for example configurations which will authenticate any user in the forest even though the Linux installation is joined to a different child domain but not found any. > > > > Scenario I would like to implement; > > > > Linux installation hostname = lin1lin1 joined to domain b.domain.orgusers from b.domain.org can login to lin1.b.doamin.orgusers from all child domains of domain.org can log into lin1.b.domain.org. for example a.domain.org, c.domain.org or z.domain.org > > > > I have attached my current config files as a reference. They work for a single domain rather than the whole forest. I suppose I am stuck whether to add each AD child domain as separate domains in SSSD and REALMS in kerberos or if I can get it to see the whole forest. > > > > > > Thanks for any help / pointers, > > > > > > Matthew > > > > > > Hi Matthew, > > this feature is only supported starting with 1.10 upstream.. > > Even on RHEL-6 I would recommend trying out the AD provider, not the > AD/Kerberos provider combo. > _______________________________________________ > sssd-users mailing list > sssd-users@lists.fedorahosted.org > https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Thank you very much for the speedy reply. I'll take another look at the AD provider and keep an eye on future sssd versions.
If you're mostly interested in testing, we build our nighlies even for RHEL6: http://jdennis.fedorapeople.org/ipa-devel/ipa-devel-rhel.repo
But tread lightly, it's really a development snapshot :) _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Hi Jakub,
I installed sssd.x86_64 1.11.1-0.20130912T1711Zgit10bc88a.el6 from the repo you mentioned above. I installed on the same machine using the same config files. All works as expected with no issues I can see.
I am going to try to setup sssd with AD provider on a clean VM. 2 questions;
- I want a certain amount of SSO - mounting a windows share with
no manual authentication based on windows permissions. According to http://www.freeipa.org/images/d/dd/Freeipa30_sssd-ad-provider.pdf this is not available until 1.10.
Ah, I see you're referring to slide #11. I think the answer depends on what your requirements are.
Login with SSSD gives you a TGT. If there is a client side infrastructure to mount a windows share based on Kerberos authentication, everything should just work. I think that's what you're referring to as SSO?
But currently cifs-utils still require winbind for some tasks like modifying ACLs. Integrating with cifs-utils in order to avoid the winbind dependency completely is on the roadmap for 1.12 currently (the slides are about a year old and we shuffled the priorities a bit)
See: https://fedorahosted.org/sssd/wiki/DesignDocs/IntegrateSSSDWithCIFSClient
I see there is a stable 1.11 in a repo or would I need to build from source? I am happy to use the nightly build repo for now and testing but if I roll it out I would obviously want to use a stable version.
Currently I'm not aware of a plan to rebase to a newer version in RHEL-6. I would say that backporting individual bugfixes or features is more likely.
- Are the example configs in http://www.freeipa.org/images/d/dd/Freeipa30_sssd-ad-provider.pdf still valid in 1.10+ for an AD provider set-up?
Yes they are. You might also want to take a look at adcli from EPEL. (and realmd on Fedora and RHEL-7). These make configuring AD client really simple and user friendly. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Hi ,
Thansk. I have the new VM setup with the ad_provider. Much simpler config!
The authentication for users on the local domain that the installation is joined to works great. However I am in the same situation with other trusted domains in the forest not being able to authenticate. Our domain structure is one parent domain which have a number of sub-domains. Those sub-domains do not have any sub-domains themselves. All users are in the subdomains. The parent domain only has the odd Admin and service user.
<image of domain structure>
the installation lin1 is joined to b.domain.org. Users from b.domain.org can login. Users from a.domain.org, c.domain.org or x.domain.org cannot login. I have tried adding domains to sssd.conf and realms to krb5.conf but cannot get it to authenticate users from other child domains.
krb5.conf, sssd.conf and smb.conf attached. Slao attached a portion of the sssd domain log that occurs when trying an # id c\user.name.
Can you try without "enumerate=true" in the config?
I think you might be hitting a known limitation (patches in progress..) _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Hi,
sorry for the late reply. I tried both "enumerate = false" and completely removing the line as you suggest but it still will not authenticate users from other sub-domains. 'id', 'getent passwd aduser USERNAME' or 'finger' do not return the user info.
Thanks for your help,
Matthew
On Mon, Sep 23, 2013 at 03:10:45PM +0000, a t wrote:
Date: Fri, 20 Sep 2013 14:44:49 +0200 From: jhrozek@redhat.com To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] authenticating against all sub-domains in AD forest
On Wed, Sep 18, 2013 at 11:55:52AM +0000, a t wrote:
Date: Wed, 18 Sep 2013 10:34:03 +0200 From: jhrozek@redhat.com To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] authenticating against all sub-domains in AD forest
On Tue, Sep 17, 2013 at 01:50:15PM +0000, a t wrote:
Date: Mon, 16 Sep 2013 15:59:09 +0200 From: jhrozek@redhat.com To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] authenticating against all sub-domains in AD forest
On Mon, Sep 16, 2013 at 01:45:17PM +0000, a t wrote: > > > > Date: Mon, 16 Sep 2013 15:22:47 +0200 > > From: jhrozek@redhat.com > > To: sssd-users@lists.fedorahosted.org > > Subject: Re: [SSSD-users] authenticating against all sub-domains in AD forest > > > > On Mon, Sep 16, 2013 at 01:17:22PM +0000, a t wrote: > > > Hi, > > > > > > I am testing find a standard config for Linux authentication against Active Directory and I am testing with Centos 6. I have decided on a SSSD/Kerberos/LDAP configuration as described in RedHats "Integrating Red Hat Enterprise Linux 6 with Active Directory" section 6.3. > > > http://www.redhat.com/rhecm/rest-rhecm/jcr/repository/collaboration/jcr:syst... > > > > > > It works very well but for the one domain in our forest i.e. b.domain.org. However, users of other domains in the forest can not be authenticated. This is understandable as I have pointed all the config files at the child domains DC's, i.e. dc1.b.domain.org rather than dc1.domain.org. I have been searching for example configurations which will authenticate any user in the forest even though the Linux installation is joined to a different child domain but not found any. > > > > > > Scenario I would like to implement; > > > > > > Linux installation hostname = lin1lin1 joined to domain b.domain.orgusers from b.domain.org can login to lin1.b.doamin.orgusers from all child domains of domain.org can log into lin1.b.domain.org. for example a.domain.org, c.domain.org or z.domain.org > > > > > > I have attached my current config files as a reference. They work for a single domain rather than the whole forest. I suppose I am stuck whether to add each AD child domain as separate domains in SSSD and REALMS in kerberos or if I can get it to see the whole forest. > > > > > > > > > Thanks for any help / pointers, > > > > > > > > > Matthew > > > > > > > > > > Hi Matthew, > > > > this feature is only supported starting with 1.10 upstream.. > > > > Even on RHEL-6 I would recommend trying out the AD provider, not the > > AD/Kerberos provider combo. > > _______________________________________________ > > sssd-users mailing list > > sssd-users@lists.fedorahosted.org > > https://lists.fedorahosted.org/mailman/listinfo/sssd-users > > Thank you very much for the speedy reply. I'll take another look at the AD provider and keep an eye on future sssd versions. >
If you're mostly interested in testing, we build our nighlies even for RHEL6: http://jdennis.fedorapeople.org/ipa-devel/ipa-devel-rhel.repo
But tread lightly, it's really a development snapshot :) _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Hi Jakub,
I installed sssd.x86_64 1.11.1-0.20130912T1711Zgit10bc88a.el6 from the repo you mentioned above. I installed on the same machine using the same config files. All works as expected with no issues I can see.
I am going to try to setup sssd with AD provider on a clean VM. 2 questions;
- I want a certain amount of SSO - mounting a windows share with
no manual authentication based on windows permissions. According to http://www.freeipa.org/images/d/dd/Freeipa30_sssd-ad-provider.pdf this is not available until 1.10.
Ah, I see you're referring to slide #11. I think the answer depends on what your requirements are.
Login with SSSD gives you a TGT. If there is a client side infrastructure to mount a windows share based on Kerberos authentication, everything should just work. I think that's what you're referring to as SSO?
But currently cifs-utils still require winbind for some tasks like modifying ACLs. Integrating with cifs-utils in order to avoid the winbind dependency completely is on the roadmap for 1.12 currently (the slides are about a year old and we shuffled the priorities a bit)
See: https://fedorahosted.org/sssd/wiki/DesignDocs/IntegrateSSSDWithCIFSClient
I see there is a stable 1.11 in a repo or would I need to build from source? I am happy to use the nightly build repo for now and testing but if I roll it out I would obviously want to use a stable version.
Currently I'm not aware of a plan to rebase to a newer version in RHEL-6. I would say that backporting individual bugfixes or features is more likely.
- Are the example configs in http://www.freeipa.org/images/d/dd/Freeipa30_sssd-ad-provider.pdf still valid in 1.10+ for an AD provider set-up?
Yes they are. You might also want to take a look at adcli from EPEL. (and realmd on Fedora and RHEL-7). These make configuring AD client really simple and user friendly. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Hi ,
Thansk. I have the new VM setup with the ad_provider. Much simpler config!
The authentication for users on the local domain that the installation is joined to works great. However I am in the same situation with other trusted domains in the forest not being able to authenticate. Our domain structure is one parent domain which have a number of sub-domains. Those sub-domains do not have any sub-domains themselves. All users are in the subdomains. The parent domain only has the odd Admin and service user.
<image of domain structure>
the installation lin1 is joined to b.domain.org. Users from b.domain.org can login. Users from a.domain.org, c.domain.org or x.domain.org cannot login. I have tried adding domains to sssd.conf and realms to krb5.conf but cannot get it to authenticate users from other child domains.
krb5.conf, sssd.conf and smb.conf attached. Slao attached a portion of the sssd domain log that occurs when trying an # id c\user.name.
Can you try without "enumerate=true" in the config?
I think you might be hitting a known limitation (patches in progress..) _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Hi,
sorry for the late reply. I tried both "enumerate = false" and completely removing the line as you suggest but it still will not authenticate users from other sub-domains. 'id', 'getent passwd aduser USERNAME' or 'finger' do not return the user info.
Thanks for your help,
Matthew
Can we see logs with enumerate=false? (They are bit more readable as you can follow the request -> reply sequence easier)
sssd-users@lists.fedorahosted.org