Connect to Linux using trust AD user account

Hello,

Here is my problem :
I added a Rocky Linux 9 in an Active Directory domain (lolo.loc) using realmd and sssd. I can connect to it using ssh with an AD user. But I want to be able to connect to it with a user from a different AD (lulu.loc). There is an unidirectional trust established between the two domains that allows users from lulu.loc to access resources of lolo.loc.
But it does not work. When I run on the Linux server id user@lulu.loc it returns id: ‘user@lulu.loc’: no such user. There is the output in /var/log/secure when I try to access with user@lulu.loc.

Dec 17 14:29:13 rocky sshd[2555]: Invalid user user@lulu.loc from 10.10.10.10 port 60111
Dec 17 14:29:35 rocky sshd[2555]: pam_unix(sshd:auth): check pass; user unknown
Dec 17 14:29:35 rocky sshd[2555]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=10.10.10.10

I tried to establish the trust in the other direction, after that i can find the user with id user@lulu.loc but i can’t connect to the Linux with ssh.
I also tried a bidirectional trust and it works, bur for security reasons I can’t do that. I need to be able to connect to the Linux with user@lulu.loc using the original trust.

Here is the sssd config file of the Linux :

[sssd]
domains = lolo.loc
config_file_version = 2
services = nss, pam

[domain/lolo.loc]
default_shell = /bin/bash
krb5_store_password_if_offline = False
cache_credentials = False
krb5_realm = LOLO.LOC
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%u@%d
ad_domain = lolo.loc
use_fully_qualified_names = True
ldap_id_mapping = True
access_provider = ad

Can someone knows a solution for my problem ?
I you wan’t further explanation don’t hesitate.

Thanks.

Came across your question/post while researching something else.

Try this approach.

Locate this line in /etc/sssd/sssd.conf

[domain/lolo.loc]

Now add this new line after the above-mentioned line, the result should look like so

[domain/lolo.loc]
ldap_user_principal = Non_Existing_Attribute

Now flush out sssd cache and restart sssd

sss_cache -E && rm -rf /var/lib/sss/db/* && systemctl restart sssd

Now attempt logging in using user@lulu.loc

Hello R0drig0,

I try it but unfortunately it does not work.
Maybe sssd is not fully compatible with AD trust, I read this on Red Hat documentation :
SSSD only supports domains in a single AD forest. If SSSD requires access to multiple domains from multiple forests, consider using IPA with trusts (preferred) or the winbindd service instead of SSSD. (Chapter 1. Connecting RHEL systems directly to AD using SSSD | Red Hat Product Documentation)