Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month at the Massachusetts Institute of Technology, in Building E51.

BLU Discuss list archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] AD/LDAP authentication

On Wed, Dec 13, 2017, at 3:20 PM, Richard Pieri wrote:
> On a completely different topic from document conversion...
> My employer has two Active Directory domains. I need to set up some
> Linux servers (RHEL, SUSE and Ubuntu) to use both domains for user
> authentication. Users get accounts on one or the other, never both. This
> is a mandate from Legal so the easy answer is off the table.
> SSSD and Winbind work for binding to one domain or the other but I can't
> bind to both at the same time (Red Hat promised this in RHEL 7 but have
> yet to deliver). So I figure I can use AD for one domain and LDAP bind
> authentication for the other, or LDAP binds to each domain, but I can't
> either working.

Looks like Red Hat has a workaround that consists of joining the first domain using the realmd tool, then joining the second domain using samba's 'net ads join' tool and copying the appropriate info into sssd.conf.  I haven't tried it, but the workaround is listed here: (you need a Red Hat account to see it, which you can get for free with the RHEL Developer program: )

I've pasted the key bits below.

There is a longstanding sssd bug for this capability:

Hope that helps!

James Cassell

Joining SSSD to domains in different forests
Solution In Progress - Updated October 17 2016 at 4:15 PM - English

    Red Hat Enterprise Linux 7


    SSSD trusted domain support currently only includes retrieving information from domains within the same Active Directory Resource Forest, a Request For Enhancement is created upstream for this to be implemented. In the meantime, SSSD can resolve users from both domains by configuring SSSD to talk two both domains using two domain sections.
        NOTE If expecting to use only shortnames(user, instead of user at domain) then user/group objects will be resolved in order of the domain sections specified in sssd.conf


    Join the first domain

realm join EXAMPLE.COM

    Add the second domain to the [domain_realm] section of /etc/krb5.conf

    Modify /etc/samba/smb.conf to prepare for joining the second domain

    Join the second domain

# net ads join -U Administrator

    Copy the domain section into a new domain section in sssd.conf for the second domain, modify values as appropriate

    Restart SSSD and attempt lookups for users in different domains

BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!

Boston Linux & Unix /