Is it possible to authorize users from multiple AD domains?

V

Vellis-msk2022-02-18 22:15:01

linux

Vellis-msk, 2022-02-18 22:15:01

Good afternoon.
Given:
A number of Linux servers
2 AD - separate forests, but with trusts in both directions, let's say domain1.local and domain2.lan
The task is to connect Linux machines to domain2.lan using sssd, krb5, realm. There are no problems with this, everything is easy and simple. Most importantly, allow users of the domain2.lan domain group (let's say linux-users) to enter, which includes users from both domains, i.e. both domain2.lan and domain1.local.
And if everything is extremely simple and successful with users of domain2.lan, then users of the linux-users group from domain1.local cannot log in in any way.
Does anyone have experience of such perversions? Is it even possible to implement such a scheme?

Reply

Answer the question

In order to leave comments, you need to log in

2 answer(s)

M

mikes, 2022-02-19
@mikes

We have a similar scheme and such problems do not arise.
check the option when there are no group restrictions in sssd. whether the users are from domain1

Z

Zerg89, 2022-02-27
@Zerg89

Try to comment out default_domain_suffix, you may have to add re_expression, but this is already in the sssd logs to see what happens there.