To add a little more detail, I'm trying to determine if sssd can support a Microsoft AD to AD "Cross Forest One Way Selective Auth Trust". User accounts reside in the "trusted" forest, and are represented in the "trusting" forest via MS foreignSecurityPrincipals [1]. A foreignSecurityPrincipal has a DN composed of the objectSid of the account it maps to in the trusted forest. An example might look like:
dn: CN=S-1-5-21-1234567890-1234567890-1234567890-1234567,CN=ForeignSecurityPrincipals,dc=trusting,dc=corp,dc=com objectClass: top objectClass: foreignSecurityPrincipal cn: S-1-5-21-1234567890-1234567890-1234567890-1234567 objectSid:: S-1-5-21-0987654321-0987654321-0987654321-0000011 where cn: <objectSid> would map to user1@TRUSTED <objectSid>. In order for sssd to understand that user1@TRUSTED is a member of group@TRUSTING, sssd would need to maintain a map of user1's objectSID to the foreignSecurityPrincipal located in trusting forest. I suspect this is not currently possible for sssd given the comment by Sumit Bose for sssd github issue #7280 "Multi domain configuration - can't get all gids for all groups where the user is member of" where Sumit states: "you currently cannot mix group-memberships from different domains configured in sssd.conf by design. But as long as those two domains belong to the same forest i.e. the two domains (not forests)..." - Unfortunately for me I'm dealing with 2 forests. I'm hoping someone on this list might be able to confirm that sssd is not currently an authentication client solution for the current backend architecture I've describe which is an AD ""Cross Forest One Way Selective Auth trust" Thank you for your time and for developing this authentication client. Sincerely, Bob [1]: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-adsc/65f7d03b-8542-4a6f-8b42-ae5247f7656a -- _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
