On Аўт, 27 лют 2024, David L wrote:
I'm looking for clarity about SSSD's *client-side* support for trusts. 1. Does SSSD support login for cross-domain (e.g., parent/child) trusts? 2. Does SSSD support login for users in trusted forests? 2a. If not, is there a workaround? 3. Does SSSD's group membership reporting include users from trusted forests? 4. Does SSSD's user information include groups in trusted forests? 5. Does SSSD require additional support from additional components to support login of users in trusted forests? 6. Does SSSD support two-way trusts? 6a. If not, is there a workaround?
A single answer: if there is a two-way trust between the domains SSSD machine in and users/groups are in, then SSSD will be able to resolve users/groups and be able to authenticate the users. SSSD talks to AD DCs over LDAP and uses GSSAPI authentication by default. This works for your own domain where you are a domain member and it works for all domains where you can reach with a cross-realm Kerberos ticket issued by your own domain controller and intermediate domain controllers of the trusted domains. SSSD does not implement any of DCE RPC calls needed to relay such a request to a domain controller. Hence, any topology where a communication can only be done via use of DCE RPC calls will not work. Use winbindd for that. -- / Alexander Bokovoy Sr. Principal Software Engineer Security / Identity Management Engineering Red Hat Limited, Finland -- _______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue