On Thu, May 05, 2016 at 03:11:41PM +0200, Johan Postema wrote: > > Hi, > > Using SSSD 1.14.2 on RHEL6, users from a different than the joined domain > are only resolved when specifying the domain. As an exmaple: > > Joined domain "northamerica", the user uniq_user_A@northamerica can be > resolved using: getent passwd uniq_user_A > But uniq_user_B in domain "europe" can ONLY be resolved using: getent passwd > europe\\unique_user_B > Where I would expect that getent passwd uniq_user_B would also work > (see my configuration file attached below). > > Diving into the sssd log files, it seems that when specifying just > "uniq_user_B", the DC's are contacted for the europe domain; which it > can't access since it's not in the kerberos keytab.
What is the relationship between the domains? Are they from the same forest? > When specifying > europe\\uniq_user_B it's SSSD seems to contact the DC's for the northamerica > domain instead; the domain it's joined and that's also in the kerberos > keytab. > > To solve this issue I added the europe DC's also to het keytab by changing > the domain/realm in the smb.conf and krb5.conf to europe and re-ran the > net ads join command. Once they are added, and thus also listed by klist -k, > I can now resolve users in both domain without specifying their domain. > Like: getent passwd uniq_user_B > > I wonder if this is the normal behaviour, because if the server is joined to > the northamerica domain, and getent passwd europe\\uniq_user_B works, I > would > expect that it would be possible to run getent passwd uniq_user_B also > without having to add extra domains to the keytab. > > The sssd.conf I used: > > [sssd] > services = nss, pam > config_file_version = 2 > debug_level = 7 > domains = northamerica.example.net,europe.example.net > default_shell = /bin/bash > > [nss] > debug_level = 7 > default_shell = /bin/bash > filter_users = root > filter_groups = root > reconnection_retries = 3 > entry_cache_timeout = 300 > entry_cache_nowait_percentage = 75 > override_shell = /bin/bash > > [pam] > debug_level = 7 > > [domain/northamerica.example.net] > id_provider = ad > subdomains_provider = none > ad_domain = northamerica.example.net > krb5_realm = NORTHAMERICA.EXAMPLE.NET > use_fully_qualified_names = False > debug_level = 7 > auth_provider = ad > chpass_provider = ad > access_provider = ad > cache_credentials = true > ldap_idmap_range_size = 2000000 > ldap_idmap_default_domain_sid = S-1-5-21-1757981266-299502267-1801674531 > ldap_idmap_default_domain = northamerica.example.net > > [domain/europe.example.net] > id_provider = ad > subdomains_provider = none > ad_domain = europe.example.net > krb5_realm = EUROPE.EXAMPLE.NET > use_fully_qualified_names = False > debug_level = 7 > auth_provider = ad > chpass_provider = ad > access_provider = ad > cache_credentials = true > ldap_idmap_range_size = 2000000 > ldap_idmap_default_domain_sid = S-1-5-21-507921405-813497703-1202660629 > ldap_idmap_default_domain = europe.example.net > > The krb5.conf > > [logging] > default = FILE:/var/log/krb5libs.log > kdc = FILE:/var/log/krb5kdc.log > admin_server = FILE:/var/log/kadmind.log > > [libdefaults] > default_realm = NORTHAMERICA.EXAMPLE.NET > dns_lookup_realm = true > dns_lookup_kdc = true > ticket_lifetime = 24h > renew_lifetime = 7d > forwardable = true > > > > Johan Postema. > _______________________________________________ > sssd-users mailing list > [email protected] > https://lists.fedorahosted.org/admin/lists/[email protected] _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/admin/lists/[email protected]
