I Joined my Centos Box to a Windows Active Directory Domain with
realm join --user=DomUser dom2.local
Without any Problems. The Domain hast a one-way Trust relationship to Dom1.
Our Windows Users can:
- Log-In with Dom1/User to Dom1/Host
- Log-In with Dom1/User to Dom2/Host
- Log-In with Dom2/User to Dom2/Host
On our Linux Boxes (in Dom2), only Dom2/Users can Log in. I found some evidence online, that sssd can be configured with two Domains, so i added a Block in the sssd config:
# cat /etc/sssd/sssd.conf
[sssd]
domains = dom1.local, dom2.local
config_file_version = 2
services = nss, pam
[domain/dom1.local]
ad_domain = dom1.local
krb5_realm = DOM1.LOCAL
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
enumerate = True
[domain/dom2.local]
ad_domain = dom2.local
krb5_realm = DOM2.LOCAL
realmd_tags = manages-system joined-with-samba
#cache_credentials = True
cache_credentials = False
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
enumerate = True
Now if i try to log in with a Dom2 User i get the following:
pam_sss(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=host.dom1.local user=user@dom2.local
pam_sss(sshd:auth): received for user user@dom2.local: 6 (Permission denied)
Failed password for user@dom2.local from 10.10.0.10 port 34442 ssh2
Has someone succefully configured two AD Domains with sssd? Or any Idea how to do that?
Edit1:
With getent passwd i can see all users from both domains, and both:
id user1@dom1.local
id user2@dom2.local
work as well.
Best Answer
OK, this an old thread but I think it will be useful for some of us.
If you want to use sssd with more than one domain, you have to do this :
From https://access.redhat.com/solutions/4035171 :
After the realm join command, add a second domain from a different forest to the [domain_realm] section of /etc/krb5.conf :
And then join the domain dom1.local :
Change sssd.conf as follows :
and restart sssd :
systemctl restart sssd