Forum Discussion

cjunior_138458's avatar
cjunior_138458
Icon for Altostratus rankAltostratus
May 23, 2016

AAA - Active Directory with user that resides in another domain in trust

Hi,

 

We have few domains and we expect to use an unique AD account to query the servers. So, we try to configure AAA server AD with an user that resides in a specific domain name.

 

I know its possible with LDAP setting, but we need some AD setting advantages, specially for password changes.

 

Example:

 

AD

 

Domain name: domain1.net

 

Domain controller: adsrv1.domain1.net

 

Admin name: user_bigip

 

AD

 

Domain name: domain2.net

 

Domain controller: adsrv2.domain2.net

 

Admin name: user_bigip@domain1.net

 

AD

 

Domain name: domain3.net

 

Domain controller: adsrv3.domain3.net

 

Admin name: user_bigip@domain1.net

 

The result is that the Big-IP tries to query the bind with user_bigip@domain1.net@domain2.net

 

With user name in old format (Domain\Username), Big-IP ignore back slash. e.g. domain1.netuser_bigip@domain2.net

 

Is it possible to do? Could you give me some direction?

 

Thanks in advance.

 

APM
application delivery

2 Replies

Sort By
  • cjunior's avatar
    cjunior
    Icon for Nacreous rankNacreous
    May 24, 2016

    Hi Arnaud,

     

    The split domain apparently works only to separate variables in the user login and not when query for AD.

     

    I tried to reproduce in lab and strangely doesn't have the same behavior that in production.

     

    Now, I just can see the domain names concatenating here in this log:

     

    May 24 19:20:18 bigipdelta debug apmd [11716]: 01490111: 7: / Common / portal_apm: Common: 6a7e774c: AD module: verifyKrb5Cache (): credential cache does not match with administrator \ @ @ f5lab.com F5LAB. NET

     

    In the next, I can't see the names concatenated, so, I think that issue is just in my AD lab.

     

    May 24 19:20:19 bigipdelta err apmd [11716]: 01490107: 3: / Common / portal_apm: Common: 6a7e774c: AD module: query with '(& (objectClass = user) (sAMAccountName = Bob))' failed: Realm not to place KDC main name: administrator@f5lab.com. Realm not found. Please VERIFY domain name configured. (-1765328316)

     

    So, I'll try again in production environment a way to know whats happen.

     

    Thank you so much