btw this was also filed as a ticket, so I replied there.
> On 15 Sep 2017, at 18:25, Jeff Silverman <[email protected]> > wrote: > > Hi! Please help. Everything I've read has stated that this should work, but > it does not. On ubuntu, that is. I set up a Centos 7 box and this *did* work. > I've tried this on > > * Ubuntu 14.04 with sssd 1.11.8 (from the default Ubuntu 14.04 repos) -- > didn't work > * Ubuntu 14.04 with sssd 1.13.4 (from a PPA) -- also didn't work > * Centos 7 with sssd 1.14.0 -- This worked! > * Ubuntu 16.04 with sssd 1.13.4 -- this did not work > > *Description* > > I have two Active Directory domains in the same forest. > * Domain "CORP" > * Domain "QA" > > I have 2-way trusts set up between the domains. > > "Real users" are all in CORP > > Authorization into QA is handled with AD Universal Groups, but I don't think > that's relevant here (especially since what I want to work does work on > Centos 7+sssd) > > I have an Ubuntu 14.04 box set up which I joined to domain "QA" via realmd. > here's the actual command I used > > realm join \ > --install=/ \ > --verbose \ > [email protected] \ > --client-software=sssd \ > --membership-software=adcli \ > --computer-ou="OU=Linux,OU=Servers,DC=qa,DC=example,DC=com" \ > QA.EXAMPLE.COM > > > Running this command, realmd > * creates a kerberos keytab > * sets up sssd.conf > * adds the computer to the OU specified in QA.EXAMPLE.COM > > I then went in and added another domain to sssd.conf to configure CORP. When > done, I have the following config files: > > ** File /etc/sssd.conf **: > > [sssd] > domains = qa.example.com > config_file_version = 2 > services = nss, pam > > [domain/qa.example.com] > ad_domain = qa.example.com > krb5_realm = QA.EXAMPLE.COM > realmd_tags = manages-system joined-with-adcli > cache_credentials = True > id_provider = ad > krb5_store_password_if_offline = True > default_shell = /bin/bash > ldap_id_mapping = True > use_fully_qualified_names = False > fallback_homedir = /srv/home/%u > access_provider = ad > enumerate = True > > [domain/corp.example.com] > ad_domain = corp.example.com > krb5_realm = CORP.EXAMPLE.COM > realmd_tags = manages-system joined-with-adcli > cache_credentials = True > id_provider = ad > krb5_store_password_if_offline = True > default_shell = /bin/bash > ldap_id_mapping = True > use_fully_qualified_names = False > fallback_homedir = /srv/home/%u > access_provider = ad > enumerate = True > > > ** File /etc/krb5.conf **: > > [libdefaults] > default_realm = QA.EXAMPLE.COM > > [realms] > QA.EXAMPLE.COM = { > kdc = qadc01a.example.com > kdc = qadc01b.example.com > admin_server = qadc01a.example.com > } > CORP.EXAMPLE.COM = { > kdc = corpdc01a.it.example.com > kdc = corpdc01b.it.example.com > admin_server = corpdc01a.it.example.com > } > > > [domain_realm] > .qa.example.com = QA.EXAMPLE.COM > qa.example.com = QA.EXAMPLE.COM > .corp.example.com = CORP.EXAMPLE.COM > corp.example.com = CORP.EXAMPLE.COM > > ** File /etc/realmd.conf **: > [service] > automatic-install = no > > [users] > default-home = /srv/home/%U > default-shell = /bin/bash > > [qa.example.com] > computer-ou = OU=Servers,OU=Linux,DC=qa,DC=example,DC=com > automatic-id-mapping = yes > fully-qualified-names = no > > [corp.example.com] > automatic-id-mapping = yes > fully-qualified-names = no > > Finally, when I do all this on Centos 7, I am able to find users in both > domains, and I'm able to authenticate as those users from both domains. > Example , *on Centos 7*: > > # getent passwd [email protected] > [email protected]:*:363201124:363201124:Jeff > Silverman:/srv/home/jsilverman:/bin/bash > # getent passwd qatestadmin > qatestadmin:*:277401105:277400513:QA Test > Admin:/srv/home/qatestadmin:/bin/bash > # getent passwd [email protected] > qatestadmin:*:277401105:277400513:QA Test > Admin:/srv/home/qatestadmin:/bin/bash > > > HOWEVER, when I do all this on Ubuntu 14.04, OR on Ubuntu 16.04, I can only > see users from the QA domain. > > # getent passwd [email protected] ## (Note: there is no output > from this command) > # getent passwd qatestadmin > qatestadmin:*:277401105:277400513:QA Test > Admin:/srv/home/qatestadmin:/bin/bash > # getent passwd [email protected] > qatestadmin:*:277401105:277400513:QA Test > Admin:/srv/home/qatestadmin:/bin/bash > > > Please advise! > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
