Learn more about these different git repos.
Other Git URLs
Our ActiveDirectory forest is named bc1.com We have three domains : bc1.com, bouygues-construction.com and bycn.bouygues-construction.com bycn.bouygues-construction.com is the Child Domain. SSSD discovers only the domain bc1.com and bouygues-construction.com # sssctl domain-list bouygues-construction.com bc1.com bouygues.com <---- external domain
OS : Cent OS 7.3 SSSD Version : 1.14.0
sssd.conf : [sssd] domains = bouygues-construction.com, config_file_version = 2 services = nss, pam, ifp
[domain/bouygues-construction.com] ad_domain = bouygues-construction.com krb5_realm = BOUYGUES-CONSTRUCTION.COM realmd_tags = manages-system joined-with-samba cache_credentials = True id_provider = ad krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = True use_fully_qualified_names = True fallback_homedir = /home/%u@%d access_provider = ad
All the users in the Child domain cannot be used. The users in the Parent Domain works as expected. # getent passwd s.jeanjean@bycn.bouygues-construction.com # su - s.jeanjean@bycn.bouygues-construction.com su: user s.jeanjean@bycn.bouygues-construction.com does not exist
bc1.com is our legacy domain and don't contains any users.
Please follow https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html and https://docs.pagure.org/SSSD.sssd/users/reporting_bugs.html it's otherwise impossible to help you..
And the log with debug_level = 9
<img alt="sssd_bouygues-construction.com.log" src="/SSSD/sssd/issue/raw/31fb6b979cc8029ac15eba25474a716fd73a795fe729f35e8a9a4a6848fd5ea1-sssd_bouygues-construction.com.log" />
So apart from the joined domain sssd was able to discover also these domains: (Thu Jul 20 17:37:33 2017) [sssd[be[bouygues-construction.com]]] [sdap_domain_subdom_add] (0x0400): subdomain bc1.com is a new one, will create a new sdap domain object (Thu Jul 20 17:37:33 2017) [sssd[be[bouygues-construction.com]]] [sdap_domain_subdom_add] (0x0400): subdomain bouygues.com is a new one, will create a new sdap domain object
But not bycn.bouygues-construction.com ..
It might be bug (which I can't find now..) where we fail to find 'subsubdomains'. What is the relationship of the domains in your forest?
bc1.com has an External Trust with bouygues.com and a TreeRoot trust with bouygues-construction.com bouygues-construction.com has a TreeRoot trust with bc1.com, an External trust with bouygues.com and a Child trust with bycn.bouygues-construction.com bycn.bouygues-construction.com has a External trust with bouygues.com and a Parent trust with bouygues-construction.com
In the log, I see that the request to discovers the subdomain is : ldapsearch -x -LLL -E pr=200/noprompt -h bc1ssys206.bc1.com -p 389 -b "dc=bc1,dc=com" -s sub "(&(objectclass=trustedDomain)(trustType=2)(!(msDS-TrustForestTrustInfo=*)))" | grep name name: bouygues-construction.com name: bouygues.com If I do the same request on the bouygues-construction.com domain instead of bc1.com, I got the correct result : ldapsearch -x -LLL -E pr=200/noprompt -h bcnvsys001.bouygues-construction.com -p 389 -b "dc=bouygues-construction,dc=com" -s sub "(&(objectclass=trustedDomain)(trustType=2)(!(msDS-TrustForestTrustInfo=*)))" | grep name name: bycn.bouygues-construction.com name: bouygues.com name: bc1.com
First, I'm sorry this ticket has stalled for such a long time.
Nonetheless, I think SSSD currently doesn't support your use-case. After your description, I think your setup is a variant of what is already described in https://pagure.io/SSSD/sssd/issue/2763.
Sorry about that. I think just defining a separate [domain] section for bycn.bouygues-construction.com should work, even with the same keytab since the domains trust each other.
bycn.bouygues-construction.com
So if you agree, I would prefer to close this ticket as a duplicate of issue #2763.
Metadata Update from @jhrozek: - Issue close_status updated to: duplicate - Issue status updated to: Closed (was: Open)
The proposed workaround doesn't works. The ad backend for bycn.bouygues-construction.com cannot connect to the ActiveDirectory The problem seems to be in [find_principal_in_keytab]. The code is looking for a principal matching TESTVM$@BYCN.BOUYGUES-CONSTRUCTION.COM which doesn't exist. The principal is TESTVM$@BOUYGUES-CONSTRUCTION.COM The secondary backend is not connected and so doesn't works. I think also that this workaround will get some problems when the two backend will try to renew the same machine account password.
I have an other question : When sssd discovers domains, how deep it follow the trust relationship ? If we have a child of child (tree level), is it working ?
No, currently multiple subdomain levels are not supported either.
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/4480
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.