On Tue, 2012-08-07 at 16:36 +0100, Johnathan Phan wrote: > Hi Simo, > > This document here implies that this does it. > > http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/Setting_Up_Cross_Realm_Authentication.html#basic-trust
This document do not apply to Identity Management (FreeIPA in RHEL speak), it is for a classic Kerberos KDC. However it is a resonable guide to experiment with trusts. > However during testing it does not behave as expected. > > Do you have any documentation on how SSSD can be configured so that > when logging in on a server in a.example.com with a users that exists > in the IPA server responsible for domain b.example.com can happen. > Only based on the rights the group has in b.example.com. > > any reference material on how that could work will help me a long way. You should look into the fact SSSD can be defined to have multiple domains. This means tho that the 'receiving' machines need to be configured for both realms. This is one of the gotchas, given the current lack of actual integration, moving forward when we will have official integration manual configuration of a separate SSSD domain will not be necessary and group memberships will work better. Simo. -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users