5.6. Restricting Identity Management or SSSD to Selected Active Directory Servers or Sites in a Trusted Active Directory Domain
As an administrator, you can disable autodiscovery of Active Directory servers and sites in the trusted Active Directory domain and instead list servers, sites, or both manually, so that you can limit the list of Active Directory servers that SSSD communicates with. For example, this enables you to avoid contacting sites that are not accessible.
5.6.1. Configuring SSSD to Contact a Specific Active Directory Server
This procedure describes manually setting Active Directory servers that SSSD connects to by editing the
/etc/sssd/sssd.conf
file.
Considerations
- If your SSSD clients are directly joined to an Active Directory domain, perform this procedure on all the clients.In this setup, restricting the Active Directory domain controllers (DCs) or sites also configures the SSSD clients to connect to a particular server or site for authentication.
- If your SSSD clients are in an Identity Management domain that is in a trust with Active Directory, perform this procedure only on the Identity Management server.In this setup, restricting the Active Directory DCs or sites does not configure the Identity Management clients to connect to a particular server or site for authentication. Although trusted Active Directory users and groups are resolved through Identity Management servers, authentication is performed directly against the Active Directory DCs. Starting with Red Hat Enterprise Linux 7.6 and sssd-1.16.2-5.el7, you can configure SSSD on IdM clients to use a specific AD server or site using the
ad_server
andad_site
options. In prior versions of Red Hat Enterprise Linux 7, restrict authentication by defining the required Active Directory DCs in the/etc/krb5.conf
file on the clients.
Procedure
- Make sure the trusted domain has a separate
[domain]
section insssd.conf
. The headings of trusted domain sections follow this template:[domain/main_domain/trusted_domain]
For example:[domain/idm.example.com/ad.example.com]
- Edit the
sssd.conf
file to list the host names of the Active Directory servers or sites to which you want SSSD to connect.Use thead_server
and, optionally,ad_backup_server
options for Active Directory servers. Use thead_site
option for Active Directory sites. For more details on these options, see the sssd-ad(5) man page.For example:[domain/idm.example.com/ad.example.com]
ad_server = dc1.ad.example.com
- Restart SSSD.
#
systemctl restart sssd.service
- To verify, on the SSSD client, resolve or authenticate as an Active Directory user from the configured server or site. For example:
#
id ad_user@ad.example.com
If you are unable to resolve the user or authenticate, use these steps to troubleshoot the problem:
- In the general
[domain]
section ofsssd.conf
, set thedebug_level
option to9
. - Inspect the SSSD logs at
/var/log/sssd/
to see which servers SSSD contacted.
Additional Resources
- For a list of options you can use in trusted domain sections of
sssd.conf
, seeTRUSTED DOMAIN SECTION
in the sssd.conf(5) man page.