Este contenido no está disponible en el idioma seleccionado.

5.6. Restricting Identity Management or SSSD to Selected Active Directory Servers or Sites in a Trusted Active Directory Domain


As an administrator, you can disable autodiscovery of Active Directory servers and sites in the trusted Active Directory domain and instead list servers, sites, or both manually, so that you can limit the list of Active Directory servers that SSSD communicates with. For example, this enables you to avoid contacting sites that are not accessible.

5.6.1. Configuring SSSD to Contact a Specific Active Directory Server

This procedure describes manually setting Active Directory servers that SSSD connects to by editing the /etc/sssd/sssd.conf file.

Considerations

  • If your SSSD clients are directly joined to an Active Directory domain, perform this procedure on all the clients.
    In this setup, restricting the Active Directory domain controllers (DCs) or sites also configures the SSSD clients to connect to a particular server or site for authentication.
  • If your SSSD clients are in an Identity Management domain that is in a trust with Active Directory, perform this procedure only on the Identity Management server.
    In this setup, restricting the Active Directory DCs or sites does not configure the Identity Management clients to connect to a particular server or site for authentication. Although trusted Active Directory users and groups are resolved through Identity Management servers, authentication is performed directly against the Active Directory DCs. Starting with Red Hat Enterprise Linux 7.6 and sssd-1.16.2-5.el7, you can configure SSSD on IdM clients to use a specific AD server or site using the ad_server and ad_site options. In prior versions of Red Hat Enterprise Linux 7, restrict authentication by defining the required Active Directory DCs in the /etc/krb5.conf file on the clients.

Procedure

  1. Make sure the trusted domain has a separate [domain] section in sssd.conf. The headings of trusted domain sections follow this template:
    [domain/main_domain/trusted_domain]
    For example:
    [domain/idm.example.com/ad.example.com]
    
  2. Edit the sssd.conf file to list the host names of the Active Directory servers or sites to which you want SSSD to connect.
    Use the ad_server and, optionally, ad_backup_server options for Active Directory servers. Use the ad_site option for Active Directory sites. For more details on these options, see the sssd-ad(5) man page.
    For example:
    [domain/idm.example.com/ad.example.com]
    ad_server = dc1.ad.example.com
  3. Restart SSSD.
    # systemctl restart sssd.service
  4. To verify, on the SSSD client, resolve or authenticate as an Active Directory user from the configured server or site. For example:
    # id ad_user@ad.example.com
If you are unable to resolve the user or authenticate, use these steps to troubleshoot the problem:
  1. In the general [domain] section of sssd.conf, set the debug_level option to 9.
  2. Inspect the SSSD logs at /var/log/sssd/ to see which servers SSSD contacted.

Additional Resources

  • For a list of options you can use in trusted domain sections of sssd.conf, see TRUSTED DOMAIN SECTION in the sssd.conf(5) man page.
Red Hat logoGithubRedditYoutubeTwitter

Aprender

Pruebe, compre y venda

Comunidades

Acerca de la documentación de Red Hat

Ayudamos a los usuarios de Red Hat a innovar y alcanzar sus objetivos con nuestros productos y servicios con contenido en el que pueden confiar.

Hacer que el código abierto sea más inclusivo

Red Hat se compromete a reemplazar el lenguaje problemático en nuestro código, documentación y propiedades web. Para más detalles, consulte el Blog de Red Hat.

Acerca de Red Hat

Ofrecemos soluciones reforzadas que facilitan a las empresas trabajar en plataformas y entornos, desde el centro de datos central hasta el perímetro de la red.

© 2024 Red Hat, Inc.