I have two windows domains which have bidirectional trusts. When I join a Windows machine to Domain_B, I am able to authorize users from Domain_A on the machine itself. But I am missing something on CentOS7 which prohibits me from doing this. Namely, [email protected]_A can’t be identified on [email protected]_B
I installed kerberos, realmd, sssd, samba on CentOS7. I then used “realm join -U [email protected]_B Domain_B” and everything works. I can find my object in AD and authenticate [email protected]_B for ssh, sudo, wtc. But when I use “id [email protected]_A” it fails. I can “klist [email protected]_A” as well as “realm discover Domain_A” with success, but I can’t get the authentication and lookup working. I can ping domains.domain_a and everything. Domain_A controllers have Windows 2008 R2 while Domain_B controllers use Windows 2003. Is it something on the controller itself with Windows 2003 or should I have another package or configuration change to enable trusted domain lookups?
p.s. I tried [capaths] in krb5.conf as well as [domain/Domain_A/Domain_B] in sssd.conf with no luck. Now I rolled back everything to default after a “realm join…”