Am Tue, Feb 27, 2024 at 05:47:50PM +0200 schrieb Alexander Bokovoy: > On Аўт, 27 лют 2024, David L wrote: > > I'm looking for clarity about SSSD's *client-side* support for trusts. > > 1. Does SSSD support login for cross-domain (e.g., parent/child) trusts? > > 2. Does SSSD support login for users in trusted forests? > > 2a. If not, is there a workaround? > > 3. Does SSSD's group membership reporting include users from trusted > > forests? > > 4. Does SSSD's user information include groups in trusted forests? > > 5. Does SSSD require additional support from additional components to > > support login of users in trusted forests? > > 6. Does SSSD support two-way trusts? > > 6a. If not, is there a workaround? > > A single answer: if there is a two-way trust between the domains SSSD > machine in and users/groups are in, then SSSD will be able to resolve > users/groups and be able to authenticate the users. > > SSSD talks to AD DCs over LDAP and uses GSSAPI authentication by > default. This works for your own domain where you are a domain member > and it works for all domains where you can reach with a cross-realm > Kerberos ticket issued by your own domain controller and intermediate > domain controllers of the trusted domains.
Hi, please note that the above currently only works for a single forest. Even if there is a two-way trust between the forests and the Kerberos ticket from the local forest would be valid in the remote forest as well SSSD currently does not attempt to discover domains from the remote forest. This is on the list already for some time but so far we didn't had the capacity to implement and test this. The workaround would be to add a second domain section in sssd.conf for the remote forest but group-memberships are restricted in this setup to the related forest and cross-forest group-memberships will not be available. bye, Sumit > > SSSD does not implement any of DCE RPC calls needed to relay such a > request to a domain controller. Hence, any topology where a > communication can only be done via use of DCE RPC calls will not work. > Use winbindd for that. > > > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > -- > _______________________________________________ > sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org > To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue -- _______________________________________________ sssd-devel mailing list -- sssd-devel@lists.fedorahosted.org To unsubscribe send an email to sssd-devel-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-devel@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
