Are mydomain and mydomain2 coming from a different forest? with id_provider=ad sssd should work fine with domains from the same forest and it should pick the right principal. If it doesn’t and setting ldap_sasl_authid to shortname$@realm, then there must be a bug in the principal selection logic.
> On 30 Jul 2018, at 11:25, Ondrej Valousek <ondrej.valou...@s3group.com> wrote: > > Ok, I see that it’s probably not supported: > https://pagure.io/SSSD/sssd/issue/2078 > right? > Ondrej > > From: Ondrej Valousek [mailto:ondrej.valou...@s3group.com] > Sent: Monday, July 30, 2018 10:45 AM > To: End-user discussions about the System Security Services Daemon > <sssd-users@lists.fedorahosted.org> > Subject: [SSSD-users] sssd connecting to two AD domains > > Hi all, > > I have a machine joined to AD domain “mydomain.com” and there is also domain > “mydomain2.com”. The two are connected with full two way trust. > > SSSD can happily recognize users from “mydomain.com”, but fails with users > from “mydomain2.com” - sssd complains that: > > (Mon Jul 30 08:26:38 2018) [sssd[be[adesto]]] [get_port_status] (0x1000): > Port status of port 389 for server 'server.mydomain2.com' is 'not working' > (Mon Jul 30 08:26:38 2018) [sssd[be[adesto]]] [get_port_status] (0x0080): > SSSD is unable to complete the full connection request, this internal status > does not necessarily indicate network port issues. > > But I can connect to that server with ldapsearch just fine (using a TGT > obtained with kinit –k hostname$). > > Earlier in the logs I spotted that SSSD is trying to obtain TGT with a wrong > principal “host/hostname@REALM” instead of “hostname$@REALM”: > > > (Mon Jul 30 08:32:34 2018) [sssd[be[adesto]]] [sdap_get_tgt_recv] (0x0400): > Child responded: 14 [Client 'host/hostn...@mydomain.com' not found in > Kerberos database], expired on [0] > (Mon Jul 30 08:32:34 2018) [sssd[be[adesto]]] [sdap_kinit_done] (0x0100): > Could not get TGT: 14 [Bad address] > (Mon Jul 30 08:32:34 2018) [sssd[be[adesto]]] [sdap_cli_kinit_done] (0x0400): > Cannot get a TGT: ret [1432158226](Authentication Failed) > > > I am wondering why is SSSD trying now, all of sudden, to obtain a TGT using > wrong principal? > Using RHEL-7. > Thanks, > > Ondrej > ----- > > The information contained in this e-mail and in any attachments is > confidential and is designated solely for the attention of the intended > recipient(s). If you are not an intended recipient, you must not use, > disclose, copy, distribute or retain this e-mail or any part thereof. If you > have received this e-mail in error, please notify the sender by return e-mail > and delete all copies of this e-mail from your computer system(s). Please > direct any additional queries to: communicati...@s3group.com. Thank You. > Silicon and Software Systems Limited (S3 Group). Registered in Ireland no. > 378073. Registered Office: South County Business Park, Leopardstown, Dublin > 18. > > ----- > > The information contained in this e-mail and in any attachments is > confidential and is designated solely for the attention of the intended > recipient(s). If you are not an intended recipient, you must not use, > disclose, copy, distribute or retain this e-mail or any part thereof. If you > have received this e-mail in error, please notify the sender by return e-mail > and delete all copies of this e-mail from your computer system(s). Please > direct any additional queries to: > communicati...@s3group.com. Thank You. Silicon and Software Systems Limited > (S3 Group). Registered in Ireland no. 378073. Registered Office: South County > Business Park, Leopardstown, Dublin 18. > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/5AR2PPJ3ARQDVDTLPWPLN5PSB75HVO6V/ _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/Z6H27YNJRSOZE6735CWXMKAHAH4STNNG/