Hi Team, i have a very complex/large AD setup which SSSD successfully integrated the Linux machine onto it.
now after acquiring another company we have to integrate a separate AD forest which is now trusted by our forest root.
I understand that SSSD won't work with external trusts and only support the same forest.
what is the best practice to allow authentication from the new trusted forest.
on my test lab I added the new forest to a new domain section, then used adcli to create a computer account on the new forest. so technically this Linux machine is now joined to two domains klist -k show correct entries for both forests nothing i changed in krb5.conf
my tests are positive and i was able to login both forests from my Linux machine.
is this supported scenario and what is the best practice when having external trust?.
any detailed guidance will be highly appreciated (no documentation about this except for IPA which we don't use)
Thanks
On 11/12/2014 05:26 PM, Karim wrote:
Hi Team, i have a very complex/large AD setup which SSSD successfully integrated the Linux machine onto it.
now after acquiring another company we have to integrate a separate AD forest which is now trusted by our forest root.
I understand that SSSD won't work with external trusts and only support the same forest.
what is the best practice to allow authentication from the new trusted forest.
on my test lab I added the new forest to a new domain section, then used adcli to create a computer account on the new forest. so technically this Linux machine is now joined to two domains klist -k show correct entries for both forests nothing i changed in krb5.conf
my tests are positive and i was able to login both forests from my Linux machine.
is this supported scenario and what is the best practice when having external trust?.
Yes it is so far is the only option how it can be done. There is no HowTo because so far no one actually did this in open and shared. I am not sure I get the second part of your question. Are you asking how to do do it with two forests? The answer is define two domains as you did it. If you asking what would be done in future then once we implement https://fedorahosted.org/sssd/ticket/2078 you would need just a single domain.
HTH
any detailed guidance will be highly appreciated (no documentation about this except for IPA which we don't use)
Thanks
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
it's getting interesting, I setup the production lab and was able to authenticate against the new forest DC fine but getent group NEWFOREST\GROUPNAME return 0 results
i compiled latest SSSD on RHEL 6.6 the error i see in the log exactly match this https://bugzilla.redhat.com/show_bug.cgi?id=1002592
when i resolve group in the first forest it works fine, when i try the new forest it return 0 results and thing my provider is offline although it is not!
any pointer is appreciated
Thanks
From: karim.said@windowslive.com To: sssd-users@lists.fedorahosted.org Subject: sssd and external trust Date: Wed, 12 Nov 2014 14:26:21 -0800
Hi Team, i have a very complex/large AD setup which SSSD successfully integrated the Linux machine onto it.
now after acquiring another company we have to integrate a separate AD forest which is now trusted by our forest root.
I understand that SSSD won't work with external trusts and only support the same forest.
what is the best practice to allow authentication from the new trusted forest.
on my test lab I added the new forest to a new domain section, then used adcli to create a computer account on the new forest. so technically this Linux machine is now joined to two domains klist -k show correct entries for both forests nothing i changed in krb5.conf
my tests are positive and i was able to login both forests from my Linux machine.
is this supported scenario and what is the best practice when having external trust?.
any detailed guidance will be highly appreciated (no documentation about this except for IPA which we don't use)
Thanks
another question: how are you doing with ID collisions in cross realms scenarios? currently both forest configured with ldap_idmapping_range_size = 20000000 anything less than this sssd will complain its not able to convert SID to unix ID and login fail.
i didn't configure _range_max parameter, is there any recommendations for setting this across the two domains?
Thanks
From: karim.said@windowslive.com To: sssd-users@lists.fedorahosted.org Subject: RE: sssd and external trust Date: Wed, 12 Nov 2014 17:18:00 -0800
it's getting interesting, I setup the production lab and was able to authenticate against the new forest DC fine but getent group NEWFOREST\GROUPNAME return 0 results
i compiled latest SSSD on RHEL 6.6 the error i see in the log exactly match this https://bugzilla.redhat.com/show_bug.cgi?id=1002592
when i resolve group in the first forest it works fine, when i try the new forest it return 0 results and thing my provider is offline although it is not!
any pointer is appreciated
Thanks
From: karim.said@windowslive.com To: sssd-users@lists.fedorahosted.org Subject: sssd and external trust Date: Wed, 12 Nov 2014 14:26:21 -0800
Hi Team, i have a very complex/large AD setup which SSSD successfully integrated the Linux machine onto it.
now after acquiring another company we have to integrate a separate AD forest which is now trusted by our forest root.
I understand that SSSD won't work with external trusts and only support the same forest.
what is the best practice to allow authentication from the new trusted forest.
on my test lab I added the new forest to a new domain section, then used adcli to create a computer account on the new forest. so technically this Linux machine is now joined to two domains klist -k show correct entries for both forests nothing i changed in krb5.conf
my tests are positive and i was able to login both forests from my Linux machine.
is this supported scenario and what is the best practice when having external trust?.
any detailed guidance will be highly appreciated (no documentation about this except for IPA which we don't use)
Thanks
On (12/11/14 20:47), Karim wrote:
another question: how are you doing with ID collisions in cross realms scenarios? currently both forest configured with ldap_idmapping_range_size = 20000000
^^^^^^^^^^^^^^^^^^^^^^^^^ The name of the option is ldap_idmap_range_max
anything less than this sssd will complain its not able to convert SID to unix ID and login fail.
i didn't configure _range_max parameter, is there any recommendations for setting this across the two domains?
You can configure non-overlapping ranges in two domains with options ldap_idmap_range_min, ldap_idmap_range_max @see man sssd-ldap
LS
Thank you Lukas and Jakub, Lukas: sorry for the typo, my sssd.config reflect the correct parameter name. i'll test the min and max range then post the results.
Jakub: all of a sudden it started working yesterday and i was able to enumerate the groups now and yes i have configured two forests in sssd.conf.
this is a very large deployment so i hope i can share the results here so it can benefits anyone want to implement in large AD environment.
you guys did a wonderful job Thanks for that. if there are any pitfalls i should be aware of please do let me know though to take into considerations
Thanks.
From: karim.said@windowslive.com To: sssd-users@lists.fedorahosted.org Subject: RE: sssd and external trust Date: Wed, 12 Nov 2014 20:47:27 -0800
another question: how are you doing with ID collisions in cross realms scenarios? currently both forest configured with ldap_idmapping_range_size = 20000000 anything less than this sssd will complain its not able to convert SID to unix ID and login fail.
i didn't configure _range_max parameter, is there any recommendations for setting this across the two domains?
Thanks
From: karim.said@windowslive.com To: sssd-users@lists.fedorahosted.org Subject: RE: sssd and external trust Date: Wed, 12 Nov 2014 17:18:00 -0800
it's getting interesting, I setup the production lab and was able to authenticate against the new forest DC fine but getent group NEWFOREST\GROUPNAME return 0 results
i compiled latest SSSD on RHEL 6.6 the error i see in the log exactly match this https://bugzilla.redhat.com/show_bug.cgi?id=1002592
when i resolve group in the first forest it works fine, when i try the new forest it return 0 results and thing my provider is offline although it is not!
any pointer is appreciated
Thanks
From: karim.said@windowslive.com To: sssd-users@lists.fedorahosted.org Subject: sssd and external trust Date: Wed, 12 Nov 2014 14:26:21 -0800
Hi Team, i have a very complex/large AD setup which SSSD successfully integrated the Linux machine onto it.
now after acquiring another company we have to integrate a separate AD forest which is now trusted by our forest root.
I understand that SSSD won't work with external trusts and only support the same forest.
what is the best practice to allow authentication from the new trusted forest.
on my test lab I added the new forest to a new domain section, then used adcli to create a computer account on the new forest. so technically this Linux machine is now joined to two domains klist -k show correct entries for both forests nothing i changed in krb5.conf
my tests are positive and i was able to login both forests from my Linux machine.
is this supported scenario and what is the best practice when having external trust?.
any detailed guidance will be highly appreciated (no documentation about this except for IPA which we don't use)
Thanks
Hi Team,
in a previous post i setup SSSD to successfully integrate two forests
The problem is: Forest A has many Subdomains, in sssd.conf i configured the subdomain this machine is joined to i.e. subdomainA.ForestA.COM
whenever i try to login using a user from SUBDOMAINB on FORESTA i get this error "kdc policy rejects transited path"
everything in the log seems normal except only this error and then login is denied.
in My krb5.conf I only configured the default domain for SUBDOMAINA.FORESTA.COM
I didn't find this error when i was trying to search the list for anyone got this before. what could be the problem here?
i'm using the latest sssd on RHEL 6.6
Thanks Karim
On Wed, Nov 12, 2014 at 05:18:00PM -0800, Karim wrote:
it's getting interesting, I setup the production lab and was able to authenticate against the new forest DC fine but getent group NEWFOREST\GROUPNAME return 0 results
i compiled latest SSSD on RHEL 6.6 the error i see in the log exactly match this https://bugzilla.redhat.com/show_bug.cgi?id=1002592
when i resolve group in the first forest it works fine, when i try the new forest it return 0 results and thing my provider is offline although it is not!
any pointer is appreciated
Thanks
Can you share more details about your client config (sssd.conf) and ideally also the debug logs?
Did you configure two [domain] sections in sssd.conf or just one?
sssd-users@lists.fedorahosted.org