Hi, I am testing find a standard config for Linux authentication against Active Directory and I am testing with Centos 6. I have decided on a SSSD/Kerberos/LDAP configuration as described in RedHats "Integrating Red Hat Enterprise Linux 6 with Active Directory" section 6.3. http://www.redhat.com/rhecm/rest-rhecm/jcr/repository/collaboration/jcr:system/jcr:versionStorage/ae40084d0a052601783f1ea42715cdef/26/jcr:frozenNode/rh:resourceFile
It works very well but for the one domain in our forest i.e. b.domain.org. However, users of other domains in the forest can not be authenticated. This is understandable as I have pointed all the config files at the child domains DC's, i.e. dc1.b.domain.org rather than dc1.domain.org. I have been searching for example configurations which will authenticate any user in the forest even though the Linux installation is joined to a different child domain but not found any. Scenario I would like to implement; Linux installation hostname = lin1lin1 joined to domain b.domain.orgusers from b.domain.org can login to lin1.b.doamin.orgusers from all child domains of domain.org can log into lin1.b.domain.org. for example a.domain.org, c.domain.org or z.domain.org I have attached my current config files as a reference. They work for a single domain rather than the whole forest. I suppose I am stuck whether to add each AD child domain as separate domains in SSSD and REALMS in kerberos or if I can get it to see the whole forest. Thanks for any help / pointers, Matthew
[sssd] config_file_version = 2 debug_level = 0 reconnection_retries = 3 sbus_timeout = 30 services = nss, pam domains = default [nss] reconnection_retries = 3 [pam] reconnection_retries = 3 [domain/default] cache_credentials = True enumerate = true id_provider = ldap auth_provider = krb5 chpass_provider = krb5 access_provider = ldap ldap_sasl_mech = GSSAPI ldap_sasl_authid = host/mhcentos3.b.domain....@b.domain.org ldap_schema = rfc2307bis ldap_user_object_class = user ldap_user_home_directory = unixHomeDirectory ldap_user_principal = userPrincipalName ldap_user_name = sAMAccountName ldap_group_object_class = group ldap_access_order = expire ldap_account_expire_policy = ad ldap_force_upper_case_realm = true ldap_disable_referrals = true krb5_realm = B.DOMAIN.ORG
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = B.DOMAIN.ORG dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] B.DOMAIN.ORG = { kdc = bdc1.b.domain.org admin_server = bdc1.b.domain.org } b.domain.org = { kdc = bdc1.b.domain.org admin_server = bdc1.b.domain.org } [domain_realm] .b.domain.org = B.DOMAIN.ORG b.domain.org = B.DOMAIN.ORG
[logging] default = FILE:/var/log/krb5libs.log kdc = FILE:/var/log/krb5kdc.log admin_server = FILE:/var/log/kadmind.log [libdefaults] default_realm = B.DOMAIN.ORG dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 24h renew_lifetime = 7d forwardable = true [realms] B.DOMAIN.ORG = { kdc = dc1.b.domain.org admin_server = dc1.b.domain.org } b.domain.org = { kdc = dc1.b.domain.org admin_server = dc1.b.domain.org } [domain_realm] .b.domain.org = B.DOMAIN.ORG b.domain.org = B.DOMAIN.ORG
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users