<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;" class="">So I have two-way trust setup and it seems to work.<br class=""><br class="">And as described here: <a href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-ssh.html" class="">https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/trust-ssh.html</a><br class=""><br class="">SSSD allows user names in the format user@AD.DOMAIN, ad.domain\user and AD\user<br class=""><br class="">That works just as described.<br class=""><br class="">I have two domains/realms - idm.placeiq.net and idm-ad.placeiq.net, the second being the Active Directory domain.<br class=""><br class="">My desire is to have AD be the source for all user/authentication - the AD users will use their creds to ssh in to all of the Centos hosts in the idm.placeiq.net domain.<br class=""><br class="">The hosts that live in IDM are a combination of Centos 6.8 and 7.X hosts.<br class=""><br class="">How can I make it so a user does not have to:<br class=""><br class="">ssh 'IDM-AD\Administrator’@hostname or ssh Administrator@idm-ad.placeiq.net@hostname<br class=""><br class="">Instead when I say Administrator@hostname it auto-magically knows I mean "ssh Administrator@idm-ad.placeiq.net@10.1.41.202<br class=""><br class="">I’ve tried modifiying krb5.conf as such but it seems like I’m missing a step.<br class=""><br class=""><div class="">[libdefaults]                                                                                                               </div><div class="">  #default_realm = IDM.PLACEIQ.NET                                                                                          </div><div class="">  default_realm = IDM-AD.PLACEIQ.NET</div><div class=""><br class=""></div><div class=""><br class=""></div>I think my clients use the localauth plugin but I’m not entirely sure. If so, how can I configure its behavior?<br class=""><br class=""><br class=""><br class=""><br class=""><div class=""><img src="https://ci3.googleusercontent.com/proxy/tFn1I-GEOnccUtv8DHHEc49-6g3x3CbuQKzbfl2Z1BObEy0Qz6QebJimpP96TK3Za5MXwXTuwBZaobKp22nYAG3NdxAC0Q=s0-d-e1-ft#https://marketing.placeiq.net/images/placeiq.png" alt="" style="width: 80px;" class=""><span class="Apple-tab-span" style="white-space:pre">      </span>Jim Richard<span class="Apple-tab-span" style="white-space:pre"> </span><img src="https://ci4.googleusercontent.com/proxy/490PXYv9O6OiIp_DL4vuabJqVn53fMon5xNYZdftCVea9ySR2LcFDHe6Cdntb2G68uDAuA6FgLny8wKWLFWpsrPAt_FtLaE=s0-d-e1-ft#https://marketing.placeiq.net/images/twitter1.png" alt="" style="width: 35px;" class=""><span class="Apple-tab-span" style="white-space:pre"> </span><img src="https://ci3.googleusercontent.com/proxy/fztHf1lRKLQYcAxebqfp2PYXCwVap3GobHVIbyp0j3NcuJOY16bUAZBibVOFf-fd1GsiuhrOfYy6dSwhlCwWU8ZUlw9OX5I=s0-d-e1-ft#https://marketing.placeiq.net/images/facebook.png" alt="" style="width: 35px;" class=""><span class="Apple-tab-span" style="white-space:pre"> </span><img src="https://ci5.googleusercontent.com/proxy/H26ThD7R6DOqxoLTgzi6k5SMrHoF2Tj44xI_7XlD9KfOIiGwe1WIMc5iQBxUBA9EuIyJMdaRXrhZTOrnkrn8O9Rf1FP9UQU=s0-d-e1-ft#https://marketing.placeiq.net/images/linkedin.png" alt="" style="width: 35px;" class=""><br class="">SYSTEM ADMINISTRATOR III<br class="">(646) 338-8905  <br class=""><br class=""><img src="https://ci4.googleusercontent.com/proxy/Xqk1hkB7_SIclVudOCHTV4jF9HPS8rkm5ra85H3FdxdydnNjbFxrkPYiZpJiyPlJR_2zweGqjJ4dD1Ei6RoSWk09h_iYqQQ2w6KGm9Rp9RvSwhQH2RGkEAq_3Q=s0-d-e1-ft#https://marketing.placeiq.net/images/LocationDataAccuracy-V1.1-01.png" alt="PlaceIQ:Location Data Accuracy" style="float: left;" class=""><br class=""><br class=""><br class=""></div><br class=""></body></html>