Hi,
I am testing find a standard config for Linux authentication against Active
Directory and I am testing with Centos 6. I have decided on a
SSSD/Kerberos/LDAP configuration as described in RedHats "Integrating Red Hat
Enterprise Linux 6 with Active Directory" section 6.3.
http://www.redhat.com/rhecm/rest-rhecm/jcr/repository/collaboration/jcr:system/jcr:versionStorage/ae40084d0a052601783f1ea42715cdef/26/jcr:frozenNode/rh:resourceFile
It works very well but for the one domain in our forest i.e. b.domain.org.
However, users of other domains in the forest can not be authenticated. This is
understandable as I have pointed all the config files at the child domains
DC's, i.e. dc1.b.domain.org rather than dc1.domain.org. I have been searching
for example configurations which will authenticate any user in the forest even
though the Linux installation is joined to a different child domain but not
found any.
Scenario I would like to implement;
Linux installation hostname = lin1lin1 joined to domain b.domain.orgusers from
b.domain.org can login to lin1.b.doamin.orgusers from all child domains of
domain.org can log into lin1.b.domain.org. for example a.domain.org,
c.domain.org or z.domain.org
I have attached my current config files as a reference. They work for a single
domain rather than the whole forest. I suppose I am stuck whether to add each
AD child domain as separate domains in SSSD and REALMS in kerberos or if I can
get it to see the whole forest.
Thanks for any help / pointers,
Matthew
[sssd]
config_file_version = 2
debug_level = 0
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = default
[nss]
reconnection_retries = 3
[pam]
reconnection_retries = 3
[domain/default]
cache_credentials = True
enumerate = true
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap
ldap_sasl_mech = GSSAPI
ldap_sasl_authid = host/mhcentos3.b.domain....@b.domain.org
ldap_schema = rfc2307bis
ldap_user_object_class = user
ldap_user_home_directory = unixHomeDirectory
ldap_user_principal = userPrincipalName
ldap_user_name = sAMAccountName
ldap_group_object_class = group
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = true
ldap_disable_referrals = true
krb5_realm = B.DOMAIN.ORG
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = B.DOMAIN.ORG
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
B.DOMAIN.ORG = {
kdc = bdc1.b.domain.org
admin_server = bdc1.b.domain.org
}
b.domain.org = {
kdc = bdc1.b.domain.org
admin_server = bdc1.b.domain.org
}
[domain_realm]
.b.domain.org = B.DOMAIN.ORG
b.domain.org = B.DOMAIN.ORG
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = B.DOMAIN.ORG
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
B.DOMAIN.ORG = {
kdc = dc1.b.domain.org
admin_server = dc1.b.domain.org
}
b.domain.org = {
kdc = dc1.b.domain.org
admin_server = dc1.b.domain.org
}
[domain_realm]
.b.domain.org = B.DOMAIN.ORG
b.domain.org = B.DOMAIN.ORG
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
