The Geek Diary

How To Configure sssd To Work With Multiple Active Directory Domains in Different Forests (CentOS/RHEL)

by

This post describes an approach to configuring sssd in order to interact with multiple Active Directory Domains located in different forests. This method involves altering /etc/krb5.conf and /etc/sssd/sssd.conf files.

1. Join the first domain (domain1.com) from the first forest.

# realm join --verbose domain1.com -U LinuxAD@DOMAIN1.COM

2. Edit /etc/krb5.conf file and add the secondary domain information (domain2.com) to [domain_realm] section.

# vi /etc/krb5.conf

[domain_realm]
# .example.com = EXAMPLE1.COM [Original entries]
# example.com  = EXAMPLE1.COM


[domain_realm]
.domain1.com = DOMAIN1.COM
domain1.com = DOMAIN1.COM      [New entries]
.domain2.com = DOMAIN2.COM
domain2.com = DOMAIN2.COM

3. Execute the following command to join Oracle Linux to the secondary domain.

# adcli -vvv join --host-keytab=/etc/krb5.keytab.domain2.com domain2.com -U LinuxAD@domain2.com
Note: LinuxAD user should have administrative privileges for these operations to be successful.

4. Edit /etc/sssd/sssd.conf file and perform the following change:

# vi /etc/sssd/sssd.conf

[sssd]
domains =domain1.com
config_file_version = 2                         [Original entries]
services = nss, pam

[sssd]
domains = domain1.com, domain2.com <----        [New entries]
config_file_version = 2
services = nss, pam, ssh

5. Add "dyndns_update = false" entry to bellow section:

[domain/domain2.com]
.........
........
krb5_keytab = /etc/krb5.keytab.domain2.com
ldap_krb5_keytab = /etc/krb5.keytab.domain2.com
debug_level = 9
dyndns_update = false     <-----

6. Add a new entry of the secondary Domain Controller with its corresponding IP@

# vi /etc/hosts
IP@ domain2.com      <-----

7. Restart sssd service:

# systemctl restart sssd

Now "realm list" command should list domain1.com and domain2.com information:

# realm list

domain1.com
type: kerberos
realm-name: DOMAI1.COM
domain-name: domain1.com
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
login-formats: %U
login-policy: allow-realm-logins

domain2.com
type: kerberos
realm-name: DOMAIN2.COM
domain-name: domain2.com
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
login-formats: %U@domain2.com
login-policy: allow-realm-logins

You May Also Like