[Discuss] AD/LDAP authentication

James Cassell blu at cyberpear.com
Thu Dec 21 18:54:30 EST 2017 

On Wed, Dec 13, 2017, at 3:20 PM, Richard Pieri wrote:
> On a completely different topic from document conversion...
> 
> My employer has two Active Directory domains. I need to set up some
> Linux servers (RHEL, SUSE and Ubuntu) to use both domains for user
> authentication. Users get accounts on one or the other, never both. This
> is a mandate from Legal so the easy answer is off the table.
> 
> SSSD and Winbind work for binding to one domain or the other but I can't
> bind to both at the same time (Red Hat promised this in RHEL 7 but have
> yet to deliver). So I figure I can use AD for one domain and LDAP bind
> authentication for the other, or LDAP binds to each domain, but I can't
> either working.
> 

Looks like Red Hat has a workaround that consists of joining the first domain using the realmd tool, then joining the second domain using samba's 'net ads join' tool and copying the appropriate info into sssd.conf.  I haven't tried it, but the workaround is listed here: https://access.redhat.com/solutions/2710131 (you need a Red Hat account to see it, which you can get for free with the RHEL Developer program: https://developers.redhat.com/products/rhel/download/ )

I've pasted the key bits below.

There is a longstanding sssd bug for this capability: https://pagure.io/SSSD/sssd/issue/2078

Hope that helps!


V/r,
James Cassell




https://access.redhat.com/solutions/2710131

Joining SSSD to domains in different forests
Solution In Progress - Updated October 17 2016 at 4:15 PM - English
Environment

    Red Hat Enterprise Linux 7

Issue

    SSSD trusted domain support currently only includes retrieving information from domains within the same Active Directory Resource Forest, a Request For Enhancement is created upstream for this to be implemented. In the meantime, SSSD can resolve users from both domains by configuring SSSD to talk two both domains using two domain sections.
        NOTE If expecting to use only shortnames(user, instead of user at domain) then user/group objects will be resolved in order of the domain sections specified in sssd.conf

Resolution

    Join the first domain

realm join EXAMPLE.COM

    Add the second domain to the [domain_realm] section of /etc/krb5.conf

    Modify /etc/samba/smb.conf to prepare for joining the second domain

    Join the second domain

# net ads join -U Administrator

    Copy the domain section into a new domain section in sssd.conf for the second domain, modify values as appropriate

    Restart SSSD and attempt lookups for users in different domains

More information about the Discuss mailing list