Hi, I am trying to setup an authentication against Active Directory, with multiple domains, and I haven't been able to find the recommended way to do it (it is very possible I missed it...), so I am looking for explanation and advice.
With a master domain example.com, and subdomains sub1.example.com, sub2.example.com, etc, how would you setup sssd (and the linux system) to authenticate the users from all the domains ? To give te example, my user is ad admin across all the forests ( [email protected]), and I want to authenticate on all the servers, smtp.example.com or proxy.sub1.example.com, etc. I also want on some computer to authenticate customer's account ([email protected]). For now, I have 2 different setups : - on computers from example.com [sssd] config_file_version = 2 debug_level =0 domains = example.com services = nss, pam [domain/example.com] enumerate = true dns_discovery_domain = cy2._sites.example.com debug_level = 8 id_provider = ad access_provider = ad ldap_id_mapping = false #dyndns_update = false - on computer from sub1.example.com [sssd] config_file_version = 2 debug_level =0 domains = sub1.example.com,example.com services = nss, pam [domain/example.com] enumerate = true dns_discovery_domain = cy2._sites.example.com debug_level = 9 id_provider = ad access_provider = ad ldap_id_mapping = false [domain/sub1.example.com] enumerate = true dns_discovery_domain = cy2._sites.sub1.example.com debug_level = 7 id_provider = ad access_provider = ad ldap_id_mapping = false I join computer to example.com or to sub1.example.com: adcli join example.com -U [email protected] or adcli join sub1.example.com -U [email protected] as I would do with an ordinary windows workstation. And for AD, I use the posix attributes (and that may be the way...) so if a UID or GID exists in both domains, I happen to find wrong group names, etc. I hope my questions are clear enough ! :-) What am I doing wrong ? What are the recommended settings for that situation ? Thanks, Jeremy
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
