5.5. Restricting Identity Management or SSSD to Selected Active Directory Servers or Sites in a Trusted Active Directory Domain

As an administrator, you can disable autodiscovery of Active Directory servers and sites in the trusted Active Directory domain and instead list servers, sites, or both manually, so that you can limit the list of Active Directory servers that SSSD communicates with. For example, this enables you to avoid contacting sites that are not accessible.

5.5.1. Configuring SSSD to Contact a Specific Active Directory Server

This procedure describes manually setting Active Directory servers that SSSD connects to by editing the /etc/sssd/sssd.conf file.

Considerations

  • If your SSSD clients are directly joined to an Active Directory domain, perform this procedure on all the clients.
    In this setup, restricting the Active Directory domain controllers (DCs) or sites also configures the SSSD clients to connect to a particular server or site for authentication.
  • If your SSSD clients are in an Identity Management domain that is in a trust with Active Directory, perform this procedure only on the Identity Management server.
    In this setup, restricting the Active Directory DCs or sites does not configure the Identity Management clients to connect to a particular server or site for authentication. Although trusted Active Directory users and groups are resolved through Identity Management servers, authentication is performed directly against the Active Directory DCs. As of Red Hat Enterprise Linux 7.4, you can restrict authentication by defining the required Active Directory DCs in the /etc/krb5.conf file on the clients.

Procedure

  1. Make sure the trusted domain has a separate [domain] section in sssd.conf. The headings of trusted domain sections follow this template:
    [domain/main_domain/trusted_domain]
    For example:
    [domain/idm.example.com/ad.example.com]
    
  2. Edit the sssd.conf file to list the host names of the Active Directory servers or sites to which you want SSSD to connect.
    Use the ad_server and, optionally, ad_server_backup options for Active Directory servers. Use the ad_site option for Active Directory sites. For more details on these options, see the sssd-ad(5) man page.
    For example:
    [domain/idm.example.com/ad.example.com]
    ad_server = dc1.ad.example.com
  3. Restart SSSD.
    # systemctl restart sssd.service
  4. To verify, on the SSSD client, resolve or authenticate as an Active Directory user from the configured server or site. For example:
    # id ad_user@ad.example.com
If you are unable to resolve the user or authenticate, use these steps to troubleshoot the problem:
  1. In the general [domain] section of sssd.conf, set the debug_level option to 10.
  2. Inspect the SSSD logs at /var/log/sssd/ to see which servers SSSD contacted.

Additional Resources

  • For a list of options you can use in trusted domain sections of sssd.conf, see Trusted domain section in the sssd.conf(5) man page.