Open manuel-hiller-ebm opened 6 months ago
Hi,
you currently cannot mix group-memberships from different domains configured in sssd.conf
by design. But as long as those two domains belong to the same forest i.e. the two domains (not forests) trust each other a single domain in sssd.conf should be sufficient and SSSD should be able to discover the second domain automatically.
bye, Sumit
Hi, thank you for your reply. Do I have to join the machines to the forest domain to reach the goal or should it also be possible to join them into one of the subdomains?
regards, Manuel
Hi,
it should be sufficient for just join ad1.domain.loc
.
bye, Sumit
Hi, could you please provide me a example sssd configuration for that usecase? I am not able to achieve this functionality. Thank you!
regards, Manuel
Same problem here. No need to join if you can use a dedicated account:
[sssd]
domins=MAIN
[domain/MAIN]
override_homedir = /home/%d/%u # %d will be MAIN (from section name) even for trusted domains!
id_provider = ldap
auth_provider = ldap
access_provider = ldap
ldap_group_nesting_level = 5
ldap_uri = ldaps://dc.example.com:3269
# Must include subdomains in ldap_user_search_base
ldap_user_search_base = DC=main,DC=example,DC=com???DC=sub,DC=example,DC=com??
ldap_default_bind_dn = CN=appaccount,OU=users,DC=example,DC=com
ldap_default_authtok_type = password
ldap_default_authtok = MyTopsecretPW
ldap_user_object_class = person
ldap_group_object_class = group
ldap_user_fullname = displayName
ldap_schema = ad
ldap_referrals = False
ldap_id_mapping = True
ldap_tls_cacert = /etc/sssd/myroot.crt
enumerate = false
cache_credentials = true
entry_cache_user_timeout = 28800
entry_cache_group_timeout = 86400
ldap_id_use_start_tls = false
debug_level = 3
ldap_access_filter = memberOf:1.2.840.113556.1.4.1941:=CN=allowedgroup,OU=myou,DC=example,DC=com
case_sensitive = Preserving
If you need a diffferent home for users from subdomain(s), I'm going to post a patch soon, since I've had no luck trying to configure a subdomain_homedir for a trusted domain.
For the patch I'm using see https://github.com/SSSD/sssd/issues/7046#issuecomment-2090253619
Hello together, I would like to implement a domain configuration for my multi domain environment. Moreover I would like to retrieve all groups and their gids where the user is member.
Here an example of my domain structure:
ad1.domain.loc - Linux machines will be joined here, users and global groups are located there ad2.domain.loc - only users
So my actual problem is, that I can't get the gids of groups from the domain ad1.domain.loc where theuser user from domain ad2.domain.local is member.
Here is a my /etc/sssd/sssd.conf configuration:
I already have tried the sssd.conf options enumerate and subdomain_enumerate, but these options did not help me. Thank your for your support.
Best regards Manuel