dnscentosresolv

Resolve AD Domain using /etc/resolv.conf in CentOS

I have configured SSSD using Realm to login into the centOS VM using the AD Credentials. Please refer the setup here

I had to modify the /etc/resolv.conf file to point the namserver to the AD Domain

Original /etc/resolv.conf file:

# Generated by NetworkManager
search ap-south-1.compute.internal
nameserver 172.31.0.2

Updated /etc/resolv.conf file:

# Generated by NetworkManager
search test.com
nameserver 172.31.12.38

With the updated /etc/resolv.conf file the User is able to login using AD Credentials but the original domain is not resolved

I want a way to resolve both the domains that point to different nameservers

# Generated by NetworkManager
nameserver 172.31.0.2
nameserver 172.31.12.38
search ap-south-1.compute.internal test.com

I have tried multiple ways to resolve the domains using the deprecated tags as well

# Generated by NetworkManager
domain ap-south-1.compute.internal
nameserver 172.31.0.2

domain test.com
nameserver 172.31.12.38

I have even tried the rotate option

# Generated by NetworkManager
options rotate
options timeout:1
nameserver 172.31.0.2
nameserver 172.31.12.38
search ap-south-1.compute.internal test.com

Is there a way to resolve multiple domains that point to different nameservers using the /etc/resolv.conf

Solution

  • To resolve the AD Forest Domain we can configure the ad_server parameter in the sssd.conf file

    ref link: man_page_sssd [Refer the ad_server part]

    /etc/sssd/sssd.conf file for reference:

    Original File:

    [sssd]
domains = test.com
config_file_version = 2
services = nss, pam, sudo, ssh

[nss]
debug_level = 10

[domain/test.com]
ad_domain = test.com
krb5_realm = TEST.COM
realmd_tags = manages-system joined-with-adcli 
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = simple
ldap_user_extra_attrs = altSecurityIdentities:altSecurityIdentities
ldap_user_ssh_public_key = altSecurityIdentities
ldap_use_tokengroups = True

    Updated File:

    [sssd]
domains = test.com
config_file_version = 2
services = nss, pam, sudo, ssh

[nss]
debug_level = 10

[domain/test.com]
ad_domain = test.com
ad_server = 172.31.12.38, 172.31.12.48
krb5_realm = TEST.COM
realmd_tags = manages-system joined-with-adcli 
cache_credentials = True
id_provider = ad
krb5_store_password_if_offline = True
default_shell = /bin/bash
ldap_id_mapping = True
use_fully_qualified_names = False
fallback_homedir = /home/%u
access_provider = simple
ldap_user_extra_attrs = altSecurityIdentities:altSecurityIdentities
ldap_user_ssh_public_key = altSecurityIdentities
ldap_use_tokengroups = True

    This way we can avoid making any entries in the /etc/resolv.conf file