0

Looking for your help on scenario below

Scenario - My authentication happens using 2 domains (we have trust between domain 1 and 2). We migrated the servers from domain1 to domain2.

Domain 1 has POSIX enabled and not Domain 2

Do I have an option to set " ldap_id_mapping = True" for first domain and ldap_id_mapping = False for the second domain.

Below is my sssd.conf file. Please suggest

[sssd]
domains = domain2.com
config_file_version = 2
services = nss, pam
default_domain_suffix = domain1.com

[domain/domain2.com]
ad_domain = domain2.com
krb5_realm = domain2.com
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping =true
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
debug_level = 9

[domain/domain1.com]
ad_domain = domain1.com
krb5_realm = domain1.com
realmd_tags = manages-system joined-with-samba
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = False
use_fully_qualified_names = True
fallback_homedir = /home/%u@%d
access_provider = ad
Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
sandeep vegiraju
  • 1
  • 1

1 Answers1

0

Yes, this should work, because the domains if defined separately in the config file have no relationship between one another. But please note that if the two domains trust each other, then the sssd's subdomains provider will discover the other domain automatically. In your case, you might want to disable the subdomains provider by setting it to 'none' in the config file. Depending on your version (and depending on whether the version has the ad_enabled_domains or not), you might also need to set the domain SID, because at least for the domain with ID-mapping enabled. That's because with ID mapping, SSSD needs to know the domain SID and the subdomains provider is the one that discovers also the master domain SID (yes, confusing naming..)

(edit: I just noticed you explicitly said you're using RHEL-6. There, the ad_enabled_domains will only be available in RHEL-6.9)

jhrozek
  • 1,370
  • 6
  • 5