Hi, Thanks for your reply.
I was originally using the LDAP as the id_provider but it was suggested I tried the AD id_provider. The nice advantage of the AD id_provider was that the keytab was created automatically. When I used the LDAP provider I had to create it on the AD DC. I'll have another go at the LDAP provider and check I had all domains / subdomains in sssd.conf and krb5.conf. Are you linux clients joined to subdomains rather than the parent domain? Thanks, Matt From: kara...@aselsan.com.tr To: sssd-users@lists.fedorahosted.org Date: Tue, 19 Nov 2013 12:28:46 +0200 Subject: Re: [SSSD-users] authenticating against all sub-domains in AD forest We have similar windows AD forest: company.com (forest root doman) subA.company.com (subdomain) subB.company.com (subdomain) I am using ldap as id_provider: id_provider = ldap if you are using ldap as id_provider you must have 3 domain section in sssd.conf: [sssd] domains = company.com, subA.company.com, subB.company.com ... [domain/company.com] .... [domain/subA.company.com] ... [domain/subB.company.com] .... in short: for each domain you have to have domian section. additionaly your krb5.conf file must include all domains. if you are using "id_provider = ad", I think only root domain section is sufficent, but I didnt try before. But in any case you have to have 3 domains in krb5.conf I think. Taner KARAGOL u can mail to karagol at gmail for additional information. > > > > > > > > > > > Date: Mon, 16 Sep 2013 15:22:47 +0200 > > > > > > From: jhro...@redhat.com > > > > > > To: sssd-users@lists.fedorahosted.org > > > > > > Subject: Re: [SSSD-users] authenticating against all sub-domains in > > > > > > AD forest > > > > > > > > > > > > On Mon, Sep 16, 2013 at 01:17:22PM +0000, a t wrote: > > > > > > > Hi, > > > > > > > > > > > > > > I am testing find a standard config for Linux authentication > > > > > > > against Active Directory and I am testing with Centos 6. I have > > > > > > > decided on a SSSD/Kerberos/LDAP configuration as described in > > > > > > > RedHats "Integrating Red Hat Enterprise Linux 6 with Active > > > > > > > Directory" section 6.3. > > > > > > > http://www.redhat.com/rhecm/rest-rhecm/jcr/repository/collaboration/jcr:system/jcr:versionStorage/ae40084d0a052601783f1ea42715cdef/26/jcr:frozenNode/rh:resourceFile > > > > > > > > > > > > > > It works very well but for the one domain in our forest i.e. > > > > > > > b.domain.org. However, users of other domains in the forest can > > > > > > > not be authenticated. This is understandable as I have pointed > > > > > > > all the config files at the child domains DC's, i.e. > > > > > > > dc1.b.domain.org rather than dc1.domain.org. I have been > > > > > > > searching for example configurations which will authenticate any > > > > > > > user in the forest even though the Linux installation is joined > > > > > > > to a different child domain but not found any. > > > > > > > > > > > > > > Scenario I would like to implement; > > > > > > > > > > > > > > Linux installation hostname = lin1lin1 joined to domain > > > > > > > b.domain.orgusers from b.domain.org can login to > > > > > > > lin1.b.doamin.orgusers from all child domains of domain.org can > > > > > > > log into lin1.b.domain.org. for example a.domain.org, > > > > > > > c.domain.org or z.domain.org > > > > > > > > > > > > > > I have attached my current config files as a reference. They work > > > > > > > for a single domain rather than the whole forest. I suppose I am > > > > > > > stuck whether to add each AD child domain as separate domains in > > > > > > > SSSD and REALMS in kerberos or if I can get it to see the whole > > > > > > > forest. > > > > > > > > > > > > > > > > > > > > > Thanks for any help / pointers, > > > > > > > > > > > > > > > > > > > > > Matthew _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
