[SSSD-users] Re: Why is my sssd deployment not doing cross-subdomain AD authentication?

Thanks, I'll check it out. On Sun, Jul 8, 2018 at 2:30 PM Michael Ströder wrote: > Disclaimer: I did not follow this thread closely. > > On 07/08/2018 08:06 PM, Spike White wrote: > > Yes, most of the groups missing when I set 'ldap_use_tokengroups = true' > > are universal groups. > > I

[SSSD-users] Re: Why is my sssd deployment not doing cross-subdomain AD authentication?

Disclaimer: I did not follow this thread closely. On 07/08/2018 08:06 PM, Spike White wrote: Yes, most of the groups missing when I set 'ldap_use_tokengroups = true' are universal groups. I vaguely remember that Volker said something about this in his FOSDEM talk:

[SSSD-users] Re: Why is my sssd deployment not doing cross-subdomain AD authentication?

Yes, most of the groups missing when I set 'ldap_use_tokengroups = true' are universal groups.I don't know where universal groups reside. Whether it's in the parent domain (dell.com), or in the GC or where. (I'm not a AD expert -- I'm a Linux engineer that has has done some AD integration

[SSSD-users] Re: Why is my sssd deployment not doing cross-subdomain AD authentication?

On Wed, Jul 04, 2018 at 03:24:47AM -0500, Spike White wrote: > Thanks for responding. > > what you said was not exactly my situation, but it got me poking around and > finally I got the configuration working. > > I find this interesting item when looking at various sssd subcommands; > >

[SSSD-users] Re: Why is my sssd deployment not doing cross-subdomain AD authentication?

Thanks for responding. what you said was not exactly my situation, but it got me poking around and finally I got the configuration working. I find this interesting item when looking at various sssd subcommands; [root@spikerealmd02 ~]# sssctl domain-list amer.dell.com apac.dell.com emea.dell.com

[SSSD-users] Re: Why is my sssd deployment not doing cross-subdomain AD authentication?

On Mon, Jul 02, 2018 at 09:52:17AM -0500, Spike White wrote: > Thanks for prompt reply. > > Yes, user name is strewn throughout sssd_nss.log.Here's the last little > bit: > > (Sun Jul 1 15:21:12 2018) [sssd[nss]] [cache_req_search_ncache] (0x0400): > CR #1653: Checking negative cache for

[SSSD-users] Re: Why is my sssd deployment not doing cross-subdomain AD authentication?

Thanks for prompt reply. Yes, user name is strewn throughout sssd_nss.log.Here's the last little bit: (Sun Jul 1 15:21:12 2018) [sssd[nss]] [cache_req_search_ncache] (0x0400): CR #1653: Checking negative cache for [admjesse_c...@japn.dell.com] (Sun Jul 1 15:21:12 2018) [sssd[nss]]

[SSSD-users] Re: Why is my sssd deployment not doing cross-subdomain AD authentication?

On Sun, Jul 01, 2018 at 03:25:26PM -0500, Spike White wrote: > sssd subject matter experts, > > Why is my sssd deployment not doing cross-subdomain AD authentication? > > > > *Background:* > > I have a parent AD domain DELL.COM with trusted subdomains AMER.DELL.COM, > APAC.DELL.COM,