Hi,
we are looking for a detailed configuration example to join an AD forest
with working Kerberos authentication.
Our AD infrastructure consists of a single forest with multiple
(sub-)domains in two-way trust. No FreeIPA, just Windows 2012 AD servers
and SSSD clients using version 1.11 and 1.15 on Debian.
We can successfully join with sssd-ad using the "net ads join" command
and users from the same domain can authenticate using a Kerberos ticket
or password. Also mounting CIFS shares via pam-mount works fine in the
same domain.
Unfortunately, users from other domains can't use their Kerberos ticket,
only password works. These users are specifying their domain on login.
Surprisingly, once logged in after authenticating with a password,
foreign-domain users are able to issue a Kerberos ticket with kinit if
they specify username@FQDN (with capital letters). Also lookup up group
membership of users from another domain works fine, so presumably the
LDAP part is working correctly.
This is our current config, are we missing something in order to get
Kerberos cross-domain authentication working?
$ cat /etc/sssd/sssd.conf
[sssd]
domains = sub1.example.com
services = nss, pam, pac
config_file_version = 2
[nss]
filter_groups = root
filter_users = root
[pam]
[domain/sub1.example.com]
id_provider = ad
auth_provider = ad
chpass_provider = ad
access_provider = ad
cache_credentials = true
ldap_referrals = false
ldap_force_upper_case_realm = true
ad_gpo_access_control = disabled
override_homedir = /home/%u
default_shell = /bin/bash
Thanks and kind regards,
Bastian
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
