• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer navigation

The Geek Diary

  • OS
    • Linux
    • CentOS/RHEL
    • Solaris
    • Oracle Linux
    • VCS
  • Interview Questions
  • Database
    • oracle
    • oracle 12c
    • ASM
    • mysql
    • MariaDB
  • DevOps
    • Docker
    • Shell Scripting
  • Big Data
    • Hadoop
    • Cloudera
    • Hortonworks HDP

How To Configure sssd To Work With Multiple Active Directory Domains in Different Forests (CentOS/RHEL)

by admin

This post describes an approach to configuring sssd in order to interact with multiple Active Directory Domains located in different forests. This method involves altering /etc/krb5.conf and /etc/sssd/sssd.conf files.

1. Join the first domain (domain1.com) from the first forest.

# realm join --verbose domain1.com -U LinuxAD@DOMAIN1.COM

2. Edit /etc/krb5.conf file and add the secondary domain information (domain2.com) to [domain_realm] section.

# vi /etc/krb5.conf

[domain_realm]
# .example.com = EXAMPLE1.COM [Original entries]
# example.com  = EXAMPLE1.COM


[domain_realm]
.domain1.com = DOMAIN1.COM
domain1.com = DOMAIN1.COM      [New entries]
.domain2.com = DOMAIN2.COM
domain2.com = DOMAIN2.COM

3. Execute the following command to join Oracle Linux to the secondary domain.

# adcli -vvv join --host-keytab=/etc/krb5.keytab.domain2.com domain2.com -U LinuxAD@domain2.com
Note: LinuxAD user should have administrative privileges for these operations to be successful.

4. Edit /etc/sssd/sssd.conf file and perform the following change:

# vi /etc/sssd/sssd.conf

[sssd]
domains =domain1.com
config_file_version = 2                         [Original entries]
services = nss, pam

[sssd]
domains = domain1.com, domain2.com <----        [New entries]
config_file_version = 2
services = nss, pam, ssh

5. Add "dyndns_update = false" entry to bellow section:

[domain/domain2.com]
.........
........
krb5_keytab = /etc/krb5.keytab.domain2.com
ldap_krb5_keytab = /etc/krb5.keytab.domain2.com
debug_level = 9
dyndns_update = false     <-----

6. Add a new entry of the secondary Domain Controller with its corresponding IP@

# vi /etc/hosts
IP@ domain2.com      <-----

7. Restart sssd service:

# systemctl restart sssd

Now "realm list" command should list domain1.com and domain2.com information:

# realm list

domain1.com
type: kerberos
realm-name: DOMAI1.COM
domain-name: domain1.com
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
login-formats: %U
login-policy: allow-realm-logins

domain2.com
type: kerberos
realm-name: DOMAIN2.COM
domain-name: domain2.com
configured: kerberos-member
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools
login-formats: %U@domain2.com
login-policy: allow-realm-logins

Filed Under: CentOS/RHEL, CentOS/RHEL 7, CentOS/RHEL 8, Linux

Some more articles you might also be interested in …

  1. How to create LXC container using lxcbr0 and virbr0 in CentOS/RHEL
  2. “You must wait longer to change your password” – error while changing password in CentOS/RHEL
  3. Linux OS Service ‘NetworkManagerDispatcher’
  4. Linux Interview Questions – Basic File and Directory Permissions
  5. Hostname change not reflecting in /var/log/messages for CentOS/RHEL
  6. “Couldn’t find device with uuid [UUID]” – error whith pvs command
  7. Linux OS service ‘iscsid’
  8. “yum clean all” not clearing yum repository cache in CentOS/RHEL/OEL
  9. Basic “ls” Command examples in Linux
  10. How to Stop SSH Session From Getting Timed Out

You May Also Like

Primary Sidebar

Recent Posts

  • grpck command – Remove corrupt or duplicate entries in the /etc/group and /etc/gshadow files.
  • xxd command – Expressed in hexadecimal form
  • sesearch: command not found
  • macof: command not found

© 2022 · The Geek Diary

  • Archives
  • Contact Us
  • Copyright