I have an Ubuntu 20.04 server that I have successfully joined to my domain using realm,
US.EXAMPLE.COM.
The way our AD is structured is that all machines are joined to the child domain for their
region and all users are setup in the parent domain,
EXAMPLE.COM. With full trust, etc, of
course.
I can successfully look up users in the
US.EXAMPLE.COM domain with id or getent passwd,
but cannot look up any users in the parent
EXAMPLE.COM domain.
I can successfully kinit to the parent domain.
I have tried adding capaths to the krb5.conf as well as adding the parent domain to the
sssd.conf file like this:
[
domain/EXAMPLE.com]
inherit_from =
US.EXAMPLE.com
id_provider = ad
debug_level = 7
krb5_validate = False
The closest I seem to get is an error message saying the server isn't found in the
parent domain's Kerberous DB.
Client 'host/SERVER01(a)US.EXAMPLE.COM' not found in Kerberos database
Surely there is a way to use the existing trust to let the machine joined to the child
domain authenticate users from the parent domain? I have done this successfully in this
domain before with a RedHat server using FQDN, but I am trying to get away from RedHat and
move to Ubuntu and the same configuration tricks were unable to let the Ubuntu server
lookup or authenticate users from the parent domain even with FQDNs.