On Fri, Feb 17, 2017 at 09:23:14PM -0000, [email protected] wrote:
> I haven't been able to find much useful information on how sssd (if at all)
> handles child domains in Active Directory.
>
> If you join an AD domain, presumably you can authenticate any users in
> the children domains, but what happens when you do "getent" do you expect to
> see users of the child domain reflected in the getent (since you are joined
> to the parent)? Do you expect to always be able to lookup users SIDs and
> UIDs from the children of the domains you joined? What about the parents?
Yes, at least direct child domains in the same forest should be visible
and we (our RH QE team) test this for every release.
But:
1) just "getent passwd" (enumerating all users) doesn't work by
default. Directly resolving a user (getent passwd username@domain)
should
2) the names in the subdomains need to be fully qualified
3) not all 'topologies' are supported with SSSD because SSSD at the
moment (unlike winbind) only uses LDAP calls to discover the
domains. See for example:
https://fedorahosted.org/sssd/ticket/2763
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
