Red Hat Bugzilla – Bug 1248366
Unable to resolve User IDs from trusted Domain
Last modified: 2015-08-05 08:21:15 EDT
Created attachment 1057549 [details]
Dear Sir or Madam,
my college configured an external trust for our existing Active Directory. We have joined our Linux Server using realmd and aren't able resolving any user IDs from the new trusted domain using sssd. I am in fact able to get a Kerberos Ticket with credentials of the trusted domain. Is this a known issue? Please let me know if I am able to provide any futher information. Logfiles are attached to this report.
- centos7/rhel7 with sssd 1.12.2-58 joined to active directory domain 'content.zone'. 'content.zone' in turn trusts (one-way, external) the domain 'oew.de'.
- 'id email@example.com' gives the error message ' GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)]'
- resolving firstname.lastname@example.org works without a hitch.
(Thu Jul 30 09:07:28 2015) [sssd[be[content.zone]]] [sasl_bind_send] (0x0080): Extended failure message: [SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. Minor code may provide more information (Server not found in Kerberos database)]
How to reproduce:
sudo realm join --user="administrator" --computer-ou=OU=Computers,OU=CAP,DC=content,DC=zone content.zone
sudo systemctl stop sssd; sudo rm -rf /var/lib/sss/db/*; sudo systemctl start sssd
We have reconfigured the trust from a one-directional external trust to a bi-directional external trust. With this we get the IDs withouth any problems. As an alternative we have tried joining our server with pbis/likewise-open and didn't need an bi-directional trust. Would you mind explaining why SSSD needs a trust in the different direction?
I'm glad it works now. Some details were cleared up on the sssd-devel list.
One-way trust is a feature of RHEL-7.2