I am wondering if sssd can be configured to pull user accounts from 1 AD domain (trusted) and correlate those user accounts to groups stored in the trusting AD domain? The "trusting" AD domain will have groups whose members are identified via user objectSids in the format of CN=ForeignSecurityPrincipals,DC=trusting,DC=com ; e.g.:
dn: CN=group,OU=groups,DC=trusting,DC=com member: CN=S-1-5-21-1234567890-1234567890-1234567890-1234567,CN=ForeignSecurityPrincipals,DC=trusting,DC=com member: CN=S-1-5-21-1234567890-1234567890-1234567890-1234568,CN=ForeignSecurityPrincipals,DC=trusting,DC=com The user accounts which are members of dn: CN=group,OU=groups,DC=trusting,DC=com would be located in the "trusted" domain. e.g. dn: cn=user1,ou=accounts,dc=trusted,dc=com samaccountname=user1 cn=user1 objectsid=S-1-5-21-1234567890-1234567890-1234567890-1234567 dn: cn=user2,ou=accounts,dc=trusted,dc=com samaccountname=user2 cn=user2 objectsid=S-1-5-21-1234567890-1234567890-1234567890-1234568 The sssd client will be joined to the trusting domain, and configured with 2 "bind" accounts. The join host /etc/krb5.keytab will allow reading of objects in "trusting" domain such as the group information, and a second "bind" account perhaps in the form of a shared keytab and principal will allow reading the user objects in the "trusted" domain. I can configure sssd.conf to use 2 separate "bind" accounts, but what I am unsure of is whether sssd will recognize that user1@TRUSTED is a member of group@TRUSTING via the CN=ForeignSecurityPrincipals mapping shown in the AD group object above. At this point my sssd.conf configuration allows me to: % getent passwd <user_from_trusted) and % getent group <group_from_trusting> but when i run something like "id/groups <user_from_trusted>" the groups defined in trusting are not shown. Can I expect sssd to support this type of AD to AD 1 way trust, where groups defined in the trusting domain have members identified via objectSid? Thank you for your time and assistance, Bob -- _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
