8:07 a.m.
H Jakub Hrozek
I also have a use case for this. My situation is that we are building out Linux Server
environments in AWS cloud for SAP clients and want a way to have centralised accounts for
our engineers and allow customers to login with their Microsoft AD user accounts.
I’ve been able to get this to work with the Linux Servers (CentOS 7) connected to our IPA
Domain with a one-way trust relationship between our IPA Domain and the customers AD
forest however, IPA is another set of infrastructure that we would rather do without and
use our existing Microsoft AD domain with a one-way trust from customer to us.
This doesn’t seem to work when the Linux Server is a member of our Microsoft AD domain.
On Tue, Mar 01, 2016 at 12:10:30AM -0000, kprprl(a)gmail.com wrote:
…
<https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
"Not supported at the moment short of joining the client to the two forests and
defining two [domain] sections.”
Q1. How can I join the client to two forests and define two [domain] sections?
On Tue, Mar 01, 2016 at 12:10:30AM -0000, kprprl(a)gmail.com wrote:
“...It's planned but we're not there yet…”
Q2. Any news on when this feature may be implemented on your Road Map?
Best Regards,
Tony Barganski
11:04 a.m.
New subject: SSSD: Cross Forest AD Trust with sssd-ad provider
On Tue, Jun 13, 2017 at 02:07:02PM +0100, Tony Barganski wrote:
H Jakub Hrozek
I also have a use case for this. My situation is that we are building out Linux Server
environments in AWS cloud for SAP clients and want a way to have centralised accounts for
our engineers and allow customers to login with their Microsoft AD user accounts.
I’ve been able to get this to work with the Linux Servers (CentOS 7) connected to our IPA
Domain with a one-way trust relationship between our IPA Domain and the customers AD
forest however, IPA is another set of infrastructure that we would rather do without and
use our existing Microsoft AD domain with a one-way trust from customer to us.
This doesn’t seem to work when the Linux Server is a member of our Microsoft AD domain.
On Tue, Mar 01, 2016 at 12:10:30AM -0000, kprprl(a)gmail.com wrote:
…
<https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
"Not supported at the moment short of joining the client to the two forests and
defining two [domain] sections.”
Q1. How can I join the client to two forests and define two [domain] sections?
Get a keytab, either with net ads join or create it on the AD side and
copy it to the Linux client. Then define the sssd.conf along the lines
of:
[sssd]
domains = dom1, dom2
[domain/dom1]
id_provider=ad
ad_domain = dom1
# uncomment if autodiscovery doesn't work
#ad_server = dc.dom1
[domain/dom1]
id_provider=ad
ad_domain = dom2
ldap_krb5_keytab = /path/to/alternative/keytab
krb5_keytab = /path/to/alternative/keytab
# uncomment if autodiscovery doesn't work
#ad_server = dc.dom1
On Tue, Mar 01, 2016 at 12:10:30AM -0000, kprprl(a)gmail.com wrote:
“...It's planned but we're not there yet…”
Q2. Any news on when this feature may be implemented on your Road Map?
No, sorry, at least not in the immediate future.
2507
days inactive
2507
days old
sssd-users@lists.fedorahosted.org
1 comments
2 participants
participants (2)
-
Jakub Hrozek -
Tony Barganski