[Discuss] AD/LDAP authentication

Grant Mongardi gmongardi at napc.com
Fri Dec 15 09:20:42 EST 2017


Ok, that's helpful information.

I actually thought that SSSD would in fact do this, and I would be
disappointed if I discovered that it wouldn't support trust relationships
properly. That said, I never was able to get Winbindd to do this in any
usable way so I suppose it's possible that it's true of SSSD. I haven't
really done a deep-dive with SSSD so I really can't say. I should put that
on my list of to-dos.

I know that Centrify Server Suite definitely does this (we sell it - see
full disclosure below). It will fully support trust relationships, and if
you're stuck with a one-way trust then you can simply put the foreign users
into groups on the local domain and it will enumerate those. So you'd join
your server to the local domain, which would in turn accept authentications
from the foreign domain. If the authenticated foreign user is a member of a
group in the local domain then those group memberships will be enumerated.
For obvious reasons group memberships in the foreign domain will not get
resolved in any way.

They do have a free, community supported version of the product. You're on
your own as far as figuring out the details of doing specific things or
troubleshooting, however the product is a very simple install and join so
it really shouldn't be a big deal. And it just works. You do have to sign
up for an account to download and they will use your info to try to sell
you stuff. Feel free to use me/NAPC in an effort to forestall that. And by
all means, if you need professional help (with the product, I can only do
so much) or want to buy/try the full version then drop me a note.

Full disclosure: the company I work for sells Centrify products and I do
the majority of the demos and technical support for it. But to be fair we
sell it because we've been very happy with it as a solution and it really
is the best product for doing this. We've tried most other solutions over
the years and theirs is the most reliable.

I hope I haven't broken any rules here. I'm really not trying to (or expect
to) sell anything. In fact, if there's enough interest I'm happy to do some
sort of online demo of joining systems to AD using the various technologies
I'm familiar with (Winbind, LDAP, SSSD, Centrify, and all of the supporting
utilities). It would probably need to be a few different one's. The
actually BLU meetings aren't really an option as I'm the morning person and
typically in bed by the time you folks are just starting :-).

Thanks,
Grant M.

On Thu, Dec 14, 2017 at 10:34 AM, Richard Pieri <richard.pieri at gmail.com>
wrote:

> On 12/14/2017 7:46 AM, Grant NAPC wrote:
> > To be fair, you haven't said exactly what you're trying to do. Is this
> > for a web application, a system service (SMB, FTP, etc.), or simply
> > SSH/SFTP/Desktop access? There are other options in certain cases that
>
> ssh logins. Some users from each domain need full shell access. And I
> need groups for access controls and file ownerships so even if trust
> chaining worked for shell logins (it currently does not on RHEL 7) I
> couldn't use it.
>
> If this were a vanilla Kerberos environment I'd simply configure the two
> realms in krb5.conf and be done with it. If you know how to do this with
> two or more AD domains then I'd love to see how you did it.
>
> --
> Rich P.
> _______________________________________________
> Discuss mailing list
> Discuss at blu.org
> http://lists.blu.org/mailman/listinfo/discuss
>



-- 

Grant Mongardi
*Senior Systems Engineer*
*NAPC inc*
p: 781-894-3114
a: 307 Waverley Oaks Rd. Waltham, Ma 02452
w: www.napc.com  e: gmongardi at napc.com
<https://facebook.com/napcgroup>   <https://twitter.com/NAPCgroup>
<https://www.linkedin.com/company/205941/>



More information about the Discuss mailing list