This post describes an approach to configuring sssd in order to interact with multiple Active Directory Domains located in different forests. This method involves altering /etc/krb5.conf and /etc/sssd/sssd.conf files.
1. Join the first domain (domain1.com) from the first forest.
# realm join --verbose domain1.com -U LinuxAD@DOMAIN1.COM
2. Edit /etc/krb5.conf file and add the secondary domain information (domain2.com) to [domain_realm] section.
# vi /etc/krb5.conf [domain_realm] # .example.com = EXAMPLE1.COM [Original entries] # example.com = EXAMPLE1.COM [domain_realm] .domain1.com = DOMAIN1.COM domain1.com = DOMAIN1.COM [New entries] .domain2.com = DOMAIN2.COM domain2.com = DOMAIN2.COM
3. Execute the following command to join Oracle Linux to the secondary domain.
# adcli -vvv join --host-keytab=/etc/krb5.keytab.domain2.com domain2.com -U LinuxAD@domain2.com
4. Edit /etc/sssd/sssd.conf file and perform the following change:
# vi /etc/sssd/sssd.conf [sssd] domains =domain1.com config_file_version = 2 [Original entries] services = nss, pam [sssd] domains = domain1.com, domain2.com <---- [New entries] config_file_version = 2 services = nss, pam, ssh
5. Add "dyndns_update = false" entry to bellow section:
[domain/domain2.com] ......... ........ krb5_keytab = /etc/krb5.keytab.domain2.com ldap_krb5_keytab = /etc/krb5.keytab.domain2.com debug_level = 9 dyndns_update = false <-----
6. Add a new entry of the secondary Domain Controller with its corresponding IP@
# vi /etc/hosts IP@ domain2.com <-----
7. Restart sssd service:
# systemctl restart sssd
Now "realm list" command should list domain1.com and domain2.com information:
# realm list domain1.com type: kerberos realm-name: DOMAI1.COM domain-name: domain1.com configured: kerberos-member server-software: active-directory client-software: sssd required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd required-package: adcli required-package: samba-common-tools login-formats: %U login-policy: allow-realm-logins domain2.com type: kerberos realm-name: DOMAIN2.COM domain-name: domain2.com configured: kerberos-member server-software: active-directory client-software: sssd required-package: oddjob required-package: oddjob-mkhomedir required-package: sssd required-package: adcli required-package: samba-common-tools login-formats: %U@domain2.com login-policy: allow-realm-logins