5.6. Restricting Identity Management or SSSD to Selected Active Directory Servers or Sites in a Trusted Active Directory Domain
5.6.1. Configuring SSSD to Contact a Specific Active Directory Server
- If your SSSD clients are directly joined to an Active Directory domain, perform this procedure on all the clients.In this setup, restricting the Active Directory domain controllers (DCs) or sites also configures the SSSD clients to connect to a particular server or site for authentication.
- If your SSSD clients are in an Identity Management domain that is in a trust with Active Directory, perform this procedure only on the Identity Management server.In this setup, restricting the Active Directory DCs or sites does not configure the Identity Management clients to connect to a particular server or site for authentication. Although trusted Active Directory users and groups are resolved through Identity Management servers, authentication is performed directly against the Active Directory DCs. As of Red Hat Enterprise Linux 7.4, you can restrict authentication by defining the required Active Directory DCs in the
/etc/krb5.conffile on the clients.
- Make sure the trusted domain has a separate
sssd.conf. The headings of trusted domain sections follow this template:
- Edit the
sssd.conffile to list the host names of the Active Directory servers or sites to which you want SSSD to connect.Use the
ad_server_backupoptions for Active Directory servers. Use the
ad_siteoption for Active Directory sites. For more details on these options, see the sssd-ad(5) man page.For example:
ad_server = dc1.ad.example.com
- Restart SSSD.
systemctl restart sssd.service
- To verify, on the SSSD client, resolve or authenticate as an Active Directory user from the configured server or site. For example:
- In the general
sssd.conf, set the
- Inspect the SSSD logs at
/var/log/sssd/to see which servers SSSD contacted.
- For a list of options you can use in trusted domain sections of
Trusted domain sectionin the sssd.conf(5) man page.