sssd authentication

Latest response

I'm looking to setup sssd to authenticate users against AD but have the users account and group membership be in sssd. I would then like to have sssd distribute this information to other sssd machines. This would allow a single sssd instance to manage my whole linux infrastructure.

I know this should be possible but I'm unable to find any documentation on how to setup/configure this. Maybe sssd isn't the right tool. If so what is the right tool?

Responses

Hmm. Doing authentication against AD but authorization against a different uid/gid identity source sounds like a lot of work. You'd definitely want sssd on the client linux servers for this, as that does the best job of integrating multiple identity sources. I think you are talking about having a second LDAP director server on one of the linux boxes such as idM or RHDS? Is there a reason why you can't set the AD posix attributes uidNumber/gidNumber on windows AD users and groups instead? That's what I'm doing. There is some information for the pure AD cases at: (1) the Windows Integration guide at: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/windows_integration_guide/ (2) there is a KB suggesting winbindd + sssd: https://access.redhat.com/solutions/3802321