On Wed, Sep 18, 2013 at 11:55:52AM +0000, a t wrote: > > > > > > > Date: Wed, 18 Sep 2013 10:34:03 +0200 > > From: jhro...@redhat.com > > To: sssd-users@lists.fedorahosted.org > > Subject: Re: [SSSD-users] authenticating against all sub-domains in AD > > forest > > > > On Tue, Sep 17, 2013 at 01:50:15PM +0000, a t wrote: > > > > > > > > > > Date: Mon, 16 Sep 2013 15:59:09 +0200 > > > > From: jhro...@redhat.com > > > > To: sssd-users@lists.fedorahosted.org > > > > Subject: Re: [SSSD-users] authenticating against all sub-domains in AD > > > > forest > > > > > > > > On Mon, Sep 16, 2013 at 01:45:17PM +0000, a t wrote: > > > > > > > > > > > > > > > > Date: Mon, 16 Sep 2013 15:22:47 +0200 > > > > > > From: jhro...@redhat.com > > > > > > To: sssd-users@lists.fedorahosted.org > > > > > > Subject: Re: [SSSD-users] authenticating against all sub-domains in > > > > > > AD forest > > > > > > > > > > > > On Mon, Sep 16, 2013 at 01:17:22PM +0000, a t wrote: > > > > > > > Hi, > > > > > > > > > > > > > > I am testing find a standard config for Linux authentication > > > > > > > against Active Directory and I am testing with Centos 6. I have > > > > > > > decided on a SSSD/Kerberos/LDAP configuration as described in > > > > > > > RedHats "Integrating Red Hat Enterprise Linux 6 with Active > > > > > > > Directory" section 6.3. > > > > > > > http://www.redhat.com/rhecm/rest-rhecm/jcr/repository/collaboration/jcr:system/jcr:versionStorage/ae40084d0a052601783f1ea42715cdef/26/jcr:frozenNode/rh:resourceFile > > > > > > > > > > > > > > It works very well but for the one domain in our forest i.e. > > > > > > > b.domain.org. However, users of other domains in the forest can > > > > > > > not be authenticated. This is understandable as I have pointed > > > > > > > all the config files at the child domains DC's, i.e. > > > > > > > dc1.b.domain.org rather than dc1.domain.org. I have been > > > > > > > searching for example configurations which will authenticate any > > > > > > > user in the forest even though the Linux installation is joined > > > > > > > to a different child domain but not found any. > > > > > > > > > > > > > > Scenario I would like to implement; > > > > > > > > > > > > > > Linux installation hostname = lin1lin1 joined to domain > > > > > > > b.domain.orgusers from b.domain.org can login to > > > > > > > lin1.b.doamin.orgusers from all child domains of domain.org can > > > > > > > log into lin1.b.domain.org. for example a.domain.org, > > > > > > > c.domain.org or z.domain.org > > > > > > > > > > > > > > I have attached my current config files as a reference. They work > > > > > > > for a single domain rather than the whole forest. I suppose I am > > > > > > > stuck whether to add each AD child domain as separate domains in > > > > > > > SSSD and REALMS in kerberos or if I can get it to see the whole > > > > > > > forest. > > > > > > > > > > > > > > > > > > > > > Thanks for any help / pointers, > > > > > > > > > > > > > > > > > > > > > Matthew > > > > > > > > > > > > > > > > > > > > > > > > > > Hi Matthew, > > > > > > > > > > > > this feature is only supported starting with 1.10 upstream.. > > > > > > > > > > > > Even on RHEL-6 I would recommend trying out the AD provider, not the > > > > > > AD/Kerberos provider combo. > > > > > > _______________________________________________ > > > > > > sssd-users mailing list > > > > > > sssd-users@lists.fedorahosted.org > > > > > > https://lists.fedorahosted.org/mailman/listinfo/sssd-users > > > > > > > > > > Thank you very much for the speedy reply. I'll take another look at > > > > > the AD provider and keep an eye on future sssd versions. > > > > > > > > > > > > > If you're mostly interested in testing, we build our nighlies even for > > > > RHEL6: > > > > http://jdennis.fedorapeople.org/ipa-devel/ipa-devel-rhel.repo > > > > > > > > But tread lightly, it's really a development snapshot :) > > > > _______________________________________________ > > > > sssd-users mailing list > > > > sssd-users@lists.fedorahosted.org > > > > https://lists.fedorahosted.org/mailman/listinfo/sssd-users > > > > > > Hi Jakub, > > > > > > I installed sssd.x86_64 1.11.1-0.20130912T1711Zgit10bc88a.el6 from the > > > repo you mentioned above. I installed on the same machine using the same > > > config files. All works as expected with no issues I can see. > > > > > > I am going to try to setup sssd with AD provider on a clean VM. 2 > > > questions; > > > 1) I want a certain amount of SSO - mounting a windows share with > > > no manual authentication based on windows permissions. According to > > > http://www.freeipa.org/images/d/dd/Freeipa30_sssd-ad-provider.pdf this is > > > not > > > available until 1.10. > > > > Ah, I see you're referring to slide #11. I think the answer depends on > > what your requirements are. > > > > Login with SSSD gives you a TGT. If there is a client side > > infrastructure to mount a windows share based on Kerberos > > authentication, everything should just work. I think that's what you're > > referring to as SSO? > > > > But currently cifs-utils still require winbind for some tasks like modifying > > ACLs. Integrating with cifs-utils in order to avoid the winbind dependency > > completely is on the roadmap for 1.12 currently (the slides are about a > > year old and we shuffled the priorities a bit) > > > > See: > > https://fedorahosted.org/sssd/wiki/DesignDocs/IntegrateSSSDWithCIFSClient > > > > > I see there is a stable 1.11 in a repo or would I need > > > to build from source? I am happy to use the nightly build repo for now and > > > testing but if I roll it out I would obviously want to use a stable > > > version. > > > > Currently I'm not aware of a plan to rebase to a newer version in > > RHEL-6. I would say that backporting individual bugfixes or features is > > more likely. > > > > > 2) Are the example configs in > > > http://www.freeipa.org/images/d/dd/Freeipa30_sssd-ad-provider.pdf still > > > valid in 1.10+ for an AD provider set-up? > > > > Yes they are. You might also want to take a look at adcli from EPEL. > > (and realmd on Fedora and RHEL-7). These make configuring AD client > > really simple and user friendly. > > _______________________________________________ > > sssd-users mailing list > > sssd-users@lists.fedorahosted.org > > https://lists.fedorahosted.org/mailman/listinfo/sssd-users > > Hi , > > Thansk. I have the new VM setup with the ad_provider. Much simpler config! > > The authentication for users on the local domain that the installation is > joined to works great. However I am in the same situation with other trusted > domains in the forest not being able to authenticate. Our domain structure is > one parent domain which have a number of sub-domains. Those sub-domains do > not have any sub-domains themselves. All users are in the subdomains. The > parent domain only has the odd Admin and service user. > > <image of domain structure> > > the installation lin1 is joined to b.domain.org. Users from b.domain.org can > login. Users from a.domain.org, c.domain.org or x.domain.org cannot login. I > have tried adding domains to sssd.conf and realms to krb5.conf but cannot get > it to authenticate users from other child domains. > > krb5.conf, sssd.conf and smb.conf attached. Slao attached a portion of the > sssd domain log that occurs when trying an # id c\\user.name.
Can you try without "enumerate=true" in the config? I think you might be hitting a known limitation (patches in progress..) _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
