You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Our ActiveDirectory forest is named bc1.com
We have three domains : bc1.com, bouygues-construction.com and bycn.bouygues-construction.com
bycn.bouygues-construction.com is the Child Domain.
SSSD discovers only the domain bc1.com and bouygues-construction.com
# sssctl domain-list
bouygues-construction.com
bc1.com
bouygues.com <---- external domain
So apart from the joined domain sssd was able to discover also these domains:
(Thu Jul 20 17:37:33 2017) [sssd[be[bouygues-construction.com]]] [sdap_domain_subdom_add] (0x0400): subdomain bc1.com is a new one, will create a new sdap domain object
(Thu Jul 20 17:37:33 2017) [sssd[be[bouygues-construction.com]]] [sdap_domain_subdom_add] (0x0400): subdomain bouygues.com is a new one, will create a new sdap domain object
But not bycn.bouygues-construction.com ..
It might be bug (which I can't find now..) where we fail to find 'subsubdomains'. What is the relationship of the domains in your forest?
bc1.com has an External Trust with bouygues.com and a TreeRoot trust with bouygues-construction.com
bouygues-construction.com has a TreeRoot trust with bc1.com, an External trust with bouygues.com and a Child trust with bycn.bouygues-construction.com
bycn.bouygues-construction.com has a External trust with bouygues.com and a Parent trust with bouygues-construction.com
In the log, I see that the request to discovers the subdomain is :
ldapsearch -x -LLL -E pr=200/noprompt -h bc1ssys206.bc1.com -p 389 -b "dc=bc1,dc=com" -s sub "(&(objectclass=trustedDomain)(trustType=2)(!(msDS-TrustForestTrustInfo=*)))" | grep name
name: bouygues-construction.com
name: bouygues.com
If I do the same request on the bouygues-construction.com domain instead of bc1.com, I got the correct result :
ldapsearch -x -LLL -E pr=200/noprompt -h bcnvsys001.bouygues-construction.com -p 389 -b "dc=bouygues-construction,dc=com" -s sub "(&(objectclass=trustedDomain)(trustType=2)(!(msDS-TrustForestTrustInfo=*)))" | grep name
name: bycn.bouygues-construction.com
name: bouygues.com
name: bc1.com
First, I'm sorry this ticket has stalled for such a long time.
Nonetheless, I think SSSD currently doesn't support your use-case. After your description, I think your setup is a variant of what is already described in https://pagure.io/SSSD/sssd/issue/2763.
Sorry about that. I think just defining a separate [domain] section for bycn.bouygues-construction.com should work, even with the same keytab since the domains trust each other.
The proposed workaround doesn't works.
The ad backend for bycn.bouygues-construction.com cannot connect to the ActiveDirectory
The problem seems to be in [find_principal_in_keytab]. The code is looking for a principal matching TESTVM$@BYCN.BOUYGUES-CONSTRUCTION.COM which doesn't exist. The principal is TESTVM$@BOUYGUES-CONSTRUCTION.COM
The secondary backend is not connected and so doesn't works.
I think also that this workaround will get some problems when the two backend will try to renew the same machine account password.
I have an other question : When sssd discovers domains, how deep it follow the trust relationship ?
If we have a child of child (tree level), is it working ?
Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/3453
Our ActiveDirectory forest is named bc1.com
We have three domains : bc1.com, bouygues-construction.com and bycn.bouygues-construction.com
bycn.bouygues-construction.com is the Child Domain.
SSSD discovers only the domain bc1.com and bouygues-construction.com
# sssctl domain-list
bouygues-construction.com
bc1.com
bouygues.com <---- external domain
OS : Cent OS 7.3
SSSD Version : 1.14.0
sssd.conf :
[sssd]
domains = bouygues-construction.com,
config_file_version = 2
services = nss, pam, ifp
[domain/bouygues-construction.com]
ad_domain = bouygues-construction.com
krb5_realm = BOUYGUES-CONSTRUCTION.COM
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
All the users in the Child domain cannot be used.
The users in the Parent Domain works as expected.
# getent passwd s.jeanjean@bycn.bouygues-construction.com
# su - s.jeanjean@bycn.bouygues-construction.com
su: user s.jeanjean@bycn.bouygues-construction.com does not exist
bc1.com is our legacy domain and don't contains any users.
Comments
Comment from jhrozek at 2017-07-20 17:26:14
Please follow https://docs.pagure.org/SSSD.sssd/users/troubleshooting.html and https://docs.pagure.org/SSSD.sssd/users/reporting_bugs.html it's otherwise impossible to help you..
Comment from sjeanjean at 2017-07-20 17:42:21
And the log with debug_level = 9
Comment from jhrozek at 2017-07-20 21:35:44
So apart from the joined domain sssd was able to discover also these domains:
(Thu Jul 20 17:37:33 2017) [sssd[be[bouygues-construction.com]]] [sdap_domain_subdom_add] (0x0400): subdomain bc1.com is a new one, will create a new sdap domain object
(Thu Jul 20 17:37:33 2017) [sssd[be[bouygues-construction.com]]] [sdap_domain_subdom_add] (0x0400): subdomain bouygues.com is a new one, will create a new sdap domain object
But not bycn.bouygues-construction.com ..
It might be bug (which I can't find now..) where we fail to find 'subsubdomains'. What is the relationship of the domains in your forest?
Comment from sjeanjean at 2017-07-21 09:18:45
bc1.com has an External Trust with bouygues.com and a TreeRoot trust with bouygues-construction.com
bouygues-construction.com has a TreeRoot trust with bc1.com, an External trust with bouygues.com and a Child trust with bycn.bouygues-construction.com
bycn.bouygues-construction.com has a External trust with bouygues.com and a Parent trust with bouygues-construction.com
In the log, I see that the request to discovers the subdomain is :
ldapsearch -x -LLL -E pr=200/noprompt -h bc1ssys206.bc1.com -p 389 -b "dc=bc1,dc=com" -s sub "(&(objectclass=trustedDomain)(trustType=2)(!(msDS-TrustForestTrustInfo=*)))" | grep name
name: bouygues-construction.com
name: bouygues.com
If I do the same request on the bouygues-construction.com domain instead of bc1.com, I got the correct result :
ldapsearch -x -LLL -E pr=200/noprompt -h bcnvsys001.bouygues-construction.com -p 389 -b "dc=bouygues-construction,dc=com" -s sub "(&(objectclass=trustedDomain)(trustType=2)(!(msDS-TrustForestTrustInfo=*)))" | grep name
name: bycn.bouygues-construction.com
name: bouygues.com
name: bc1.com
Comment from jhrozek at 2017-08-17 11:52:43
First, I'm sorry this ticket has stalled for such a long time.
Nonetheless, I think SSSD currently doesn't support your use-case. After your description, I think your setup is a variant of what is already described in https://pagure.io/SSSD/sssd/issue/2763.
Sorry about that. I think just defining a separate [domain] section for
bycn.bouygues-construction.com
should work, even with the same keytab since the domains trust each other.Comment from jhrozek at 2017-08-17 11:53:11
So if you agree, I would prefer to close this ticket as a duplicate of issue #2763.
Comment from jhrozek at 2017-08-23 22:54:03
Metadata Update from @jhrozek:
Comment from sjeanjean at 2017-10-02 15:40:29
The proposed workaround doesn't works.
The ad backend for bycn.bouygues-construction.com cannot connect to the ActiveDirectory
The problem seems to be in [find_principal_in_keytab]. The code is looking for a principal matching TESTVM$@BYCN.BOUYGUES-CONSTRUCTION.COM which doesn't exist. The principal is TESTVM$@BOUYGUES-CONSTRUCTION.COM
The secondary backend is not connected and so doesn't works.
I think also that this workaround will get some problems when the two backend will try to renew the same machine account password.
Comment from sjeanjean at 2017-10-02 15:43:05
I have an other question : When sssd discovers domains, how deep it follow the trust relationship ?
If we have a child of child (tree level), is it working ?
Comment from jhrozek at 2017-10-02 15:56:40
No, currently multiple subdomain levels are not supported either.
The text was updated successfully, but these errors were encountered: