I was able to successfully follow this document to get sssd to work with my Active Directory domain, but I was sad to learn that sssd does not support authenticating with external trusts.
I read that you can actually join multiple domains with the assistance of krb5 and samba (?) so I tried to do so by copying my existing /etc/samba/smb.conf and edited it to reflect the additional domain, so that it starts like this:
[global]
workgroup = ANOTHER
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
realm = ANOTHER.EXAMPLE.COM
security = ads
I then edited /etc/krb5.conf to add my new domain ANOTHER.EXAMPLE.COM under [realms] section like so:
[libdefaults]
default_realm = HI.EXAMPLE.COM
kdc_timesync = 1
ccache_type = 4
forwardable = true
proxiable = true
rdns=false
fcc-mit-ticketflags = true
[realms]
ANOTHER.EXAMPLE.COM = {
kdc = another.example.com
admin_server = another.example.com
master_kdc = another.example.com
default_domain = another.example.com
}
Finally I did kinit -V my.user@ANOTHER.EXAMPLE.COM and it asked for password and successfully authenticated. I then did net ads join -U my.user /etc/samba/smb_another.conf, again entered my password, and got the following:
Using short domain name -- ANOTHER
Joined 'SERVER9' to dns domain 'another.example.com'
No DNS domain configured for server9. Unable to perform DNS Update.
DNS update failed: NT_STATUS_INVALID_PARAMETER
Ok, not great, but I've seen this kind of error before and it still worked. So then I try getent passwd my.user@ANOTHER.EXAMPLE.COM.
It hangs for like 20 seconds and comes back empty-handed.
Any suggestions or tips, or advice on whether this is even possible?
