Linux into Windows AD Integration with Multiple Domains

Hey all,

I have two windows domains which have bidirectional trusts. When I join a Windows machine to Domain_B, I am able to authorize users from Domain_A on the machine itself. But I am missing something on CentOS7 which prohibits me from doing this. Namely, user@Domain_A can’t be identified on machine@Domain_B

I installed kerberos, realmd, sssd, samba on CentOS7. I then used “realm join -U user@Domain_B Domain_B” and everything works. I can find my object in AD and authenticate groups@Domain_B for ssh, sudo, wtc. But when I use “id user@Domain_A” it fails. I can “klist user@Domain_A” as well as “realm discover Domain_A” with success, but I can’t get the authentication and lookup working. I can ping domains.domain_a and everything. Domain_A controllers have Windows 2008 R2 while Domain_B controllers use Windows 2003. Is it something on the controller itself with Windows 2003 or should I have another package or configuration change to enable trusted domain lookups?

p.s. I tried [capaths] in krb5.conf as well as [domain/Domain_A/Domain_B] in sssd.conf with no luck. Now I rolled back everything to default after a “realm join…”

What does your samba config have in it? Its been a minute since I’ve done anything like this but I think you need winbind on both domains.

Nothing is in the smb.conf. I did read about winbind a bit, but it replicated a lot of what realmd and sssd did, so I was unsure of what the difference was and what to put into it. I was thinking that because I could join, look up and authenticate against Domain_B without these, that perhaps I didn’t need them.

I will look into it, thanks for the info.

TBH I’m far from an expert I only did this once to auth AD users to nextcloud and I couldnt tell you everything I did now. I just remember nothing worked until I got my samba set up right.

We do have some machines using LDAP to authenticate in Apache, but I was hoping to stick with Kerberos. Not sure if that’s what you were using.

kerberos was necessary for access to the storage outside of nextcloud iirc. I think the difference for my setup was that the linux server was a domain member possibly. I’m pretty much useless to you since I dont remember much. Its been a couple years.