On Tue, Oct 06, 2015 at 05:43:45PM +0200, Jordi Claret wrote: > Hi All! > > I explain my problem... > > We have 2 Windows Active Directories domains in different forests, and i > need to autheticate with password and passwordless against first one > (DOMAIN1), and only with password against second one (DOMAIN2). I know that > SSSD currently does not support AD-AD cross-forest and i already have > created two separate entries in sssd.conf for both domains, but it seems > you need to join both domains and i need a computer object created in 2 > ADs. Is it possible to authenticate by SSH with password against second > domain without AD computer object created in the second domain and > id_provider=ad ?
id_provider=ad requires a keytab to be present. The principal can be overriden in the config file I guess, but a keytab is required. btw are there any AD provider features that you absolutely need (like GPOs) ? If not, would using id_provider=ldap with ldap_schema=ad be enough? > > Versions => rhel6 and sssd 1.12.4-47 > > Thanks! > _______________________________________________ > sssd-users mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
