Hi, Nobody has a clue on the best practices for AD domains with trust ? :-(
Regs, Jeremy On Mon, Oct 23, 2017 at 10:29 AM, Jeremy Monnet <jmon...@gmail.com> wrote: > Hi, > > I am trying to setup an authentication against Active Directory, with > multiple domains, and I haven't been able to find the recommended way to do > it (it is very possible I missed it...), so I am looking for explanation > and advice. > > With a master domain example.com, and subdomains sub1.example.com, > sub2.example.com, etc, how would you setup sssd (and the linux system) to > authenticate the users from all the domains ? > > To give te example, my user is ad admin across all the forests ( > my_u...@example.com), and I want to authenticate on all the servers, > smtp.example.com or proxy.sub1.example.com, etc. I also want on some > computer to authenticate customer's account (my_custo...@sub1.example.com) > . > > For now, I have 2 different setups : > - on computers from example.com > [sssd] > config_file_version = 2 > debug_level =0 > domains = example.com > services = nss, pam > [domain/example.com] > enumerate = true > dns_discovery_domain = cy2._sites.example.com > debug_level = 8 > id_provider = ad > access_provider = ad > ldap_id_mapping = false > #dyndns_update = false > > - on computer from sub1.example.com > [sssd] > config_file_version = 2 > debug_level =0 > domains = sub1.example.com,example.com > services = nss, pam > > [domain/example.com] > enumerate = true > dns_discovery_domain = cy2._sites.example.com > debug_level = 9 > id_provider = ad > access_provider = ad > ldap_id_mapping = false > > [domain/sub1.example.com] > enumerate = true > dns_discovery_domain = cy2._sites.sub1.example.com > debug_level = 7 > id_provider = ad > access_provider = ad > ldap_id_mapping = false > > I join computer to example.com or to sub1.example.com: > adcli join example.com -U my_u...@example.com > or > adcli join sub1.example.com -U my_u...@example.com > as I would do with an ordinary windows workstation. > > And for AD, I use the posix attributes (and that may be the way...) so if > a UID or GID exists in both domains, I happen to find wrong group names, > etc. > > > I hope my questions are clear enough ! :-) What am I doing wrong ? What > are the recommended settings for that situation ? > > Thanks, > > Jeremy >
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
