I'm sorry for the late reply, but we've all been busy finishing work on a RHEL update.
On Mon, Oct 23, 2017 at 10:29:13AM +0200, Jeremy Monnet wrote: > Hi, > > I am trying to setup an authentication against Active Directory, with > multiple domains, and I haven't been able to find the recommended way to do > it (it is very possible I missed it...), so I am looking for explanation > and advice. > > With a master domain example.com, and subdomains sub1.example.com, > sub2.example.com, etc, how would you setup sssd (and the linux system) to > authenticate the users from all the domains ? > > To give te example, my user is ad admin across all the forests ( > my_u...@example.com), and I want to authenticate on all the servers, > smtp.example.com or proxy.sub1.example.com, etc. I also want on some > computer to authenticate customer's account (my_custo...@sub1.example.com). > > For now, I have 2 different setups : > - on computers from example.com > [sssd] > config_file_version = 2 > debug_level =0 > domains = example.com > services = nss, pam > [domain/example.com] > enumerate = true > dns_discovery_domain = cy2._sites.example.com > debug_level = 8 > id_provider = ad > access_provider = ad > ldap_id_mapping = false > #dyndns_update = false This should just work for all domains, SSSD should autodiscover all the trusted domains from the forest. Instead of the dns_discovery_domain, you should use "ad_site = cy2" If something does not work, please send logs, see https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html But I would strongly recommend against enumerate=true both for performance reasons and because following the logs is then quite hard. > > - on computer from sub1.example.com > [sssd] > config_file_version = 2 > debug_level =0 > domains = sub1.example.com,example.com > services = nss, pam > > [domain/example.com] > enumerate = true > dns_discovery_domain = cy2._sites.example.com > debug_level = 9 > id_provider = ad > access_provider = ad > ldap_id_mapping = false > > [domain/sub1.example.com] > enumerate = true > dns_discovery_domain = cy2._sites.sub1.example.com > debug_level = 7 > id_provider = ad > access_provider = ad > ldap_id_mapping = false This should not be needed and is not completely correct either. Defining each domain separately is a valid workaround for domains in different forests. It was also a valid workaround for older releases if only some domains were reachable, so you'd disable the automatic subdomain discovery with subdomain_provider=none and then create a separate domain entry for each trusted domain. But with modern releases this should not be necessary, even if only the forest root and sub1.example.com are reachable, you could instead use "ad_enabled_domains = sub1.example.com,example.com" But if the all domains are reachable, defining each domains should not be required and all users and groups from those domains should be resolvable. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
