On Sun, Jul 01, 2018 at 03:25:26PM -0500, Spike White wrote: > sssd subject matter experts, > > Why is my sssd deployment not doing cross-subdomain AD authentication? > > > > *Background:* > > I have a parent AD domain DELL.COM with trusted subdomains AMER.DELL.COM, > APAC.DELL.COM, EMEA.DELL.COM and JAPN.DELL.COM Each subdomain has a > transitive trust with DELL.COM. > > So all subdomains trust each other. > > I set up a first test VM deployment using sssd. I set up the cross > subdomain auth as in: > > https://lists.fedorahosted.org/pipermail/sssd-users/2015-February/002648.html > > It worked great – allowed cross subdomain authentication. The only thing > it would not do was use tokengroups. That is, the VM was fully functional, > but I had to add ‘ldap_use_tokengroups = false’ to the sssd.conf file. > > My AD experts have advised me that ‘tokengroups’ are an important AD > optimization and I should use them, if at all possible. > > Using ldapsearch, I was able to verify that machine account didn’t have the > necessary privileges to query a user’s tokengroups. Thus, the fault was > mine – that this first sssd deployment couldn’t use tokengroups. > > So I did another sssd deployment, using another test VM. Apparently, I did > the realm join command correct this time, as it’s able to use tokengroups. > > BUT! This second test VM is not allowing cross subdomain authentication > and login. How do I fix this so that I have use of both tokengroups and > cross subdomain authentication? >
... > > If I do the same query on the bad VM (spikerealmd02): > > > > [root@spikerealmd02 sssd]# id admjesse_chan > > id: admjesse_chan: no such user How do you know that tokengroups are working if the request fails and the lookup is not recorded in the logs? > > > > and I see nothing in the sssd_apac.dell.com.log file: > > > > [root@spikerealmd02 sssd]# grep -i admjesse_chan sssd_apac.dell.com.log > > [root@spikerealmd02 sssd]# Do you see the user name in sssd_nss.log? If not, is 'sss' listed in the passwd line of /etc/nsswitch.conf? bye, Sumit > > > > Please help, > > Spike > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/[email protected]/message/HHNJ6AMXTSKF4UW3PLS6Y5MY5ADF6VCV/ _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected]/message/BASM657T2U6AVKBKVBQVJQQ7PNVU7UC7/
