On Tue, Jan 08, 2019 at 12:38:09PM +0000, Sean Roberts wrote:
Thanks.
Below is sssd.conf for the POSIX users.
Would making another domain group named [
domain/INT.DOMAIN.COM] conflict?
Can we name it to identity what is different between them?
```
[sssd]
debug_level = 3
domains =
int.domain.com
config_file_version = 2
reconnection_retries = 3
services = nss, pam
[nss]
reconnection_retries = 3
debug_level = 3
filter_groups = root
filter_users = root
[pam]
debug_level = 3
reconnection_retries = 3
[
domain/int.domain.com]
debug_level = 3
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
access_provider = simple
simple_allow_groups = unix-admin, unix-backup, unix-sudo
ldap_group_nesting_level = 0
cache_credentials = true
min_id = 10000
max_id = 20000
enumerate = false
ldap_referrals = false
ldap_uri =
ldaps://ldapad.int.domain.com/
ldap_id_mapping = False
ldap_schema = rfc2307
ldap_group_member = memberuid
ldap_search_base = dc=int,dc=domain,dc=com
ldap_user_object_class = user
ldap_group_object_class = group
ldap_user_home_directory = unixHomeDirectory
ldap_tls_reqcert = hard
ldap_default_bind_dn = ...
```
Thanks. So you are completely using the rfc2307 schema features of AD
including the group memberships.
In this case you can add a second domain ideally with id_provider=ad to
get the AD view of the users. The AD provider expects that the default
keytab /etc/krb5.keytab contains Kerberos credentials for the host to
access the LDAP service of the AD DCs. So it would be best to join the
domain e.g. with 'adcli'.
I really would recommend to use a completely different domain name, e.g.
the NetBIOS domain name of the AD domain. Although the domain names from
sssd.conf are trated case-sensitive the default behavior of the AD
provider is to treat all names case-insensitive to be in agreement with
the behavior of AD.
HTH
bye,
Sumit
--
Sean Roberts
On Tue, Jan 8, 2019 at 12:20 PM Sumit Bose <sbose(a)redhat.com> wrote:
> On Tue, Jan 08, 2019 at 11:29:32AM +0000, Sean Roberts wrote:
> > I'm working on an AD where they've completely separate normal AD users
> and
> > POSIX users.
> > - AD: All employees have a user.
> > - POSIX: Certain employees get a separate user which is used for POSIX
> use
> > cases. *(Usernames are prefixed so they never collide). *Their groups are
> > only POSIX groups.
> >
> > How can SSSD get both sets of users and their groups?
> >
> > Could we create a separate [domain/...] for each? Would overrides in
> > [application/...] work?
> >
> > Currently SSSD is only getting the POSIX users and ldap_id_mapping=false
> is
> > set. We can't really disable that without massive `chown`s across all the
> > systems.
>
> Hi,
>
> I think have two [domain/...] sections for each set of users would be
> best. But it would be good to see your current sssd.conf (sanitized if
> needed) to better understand how the group memberships are defined for
> the POSIX users because there are multiple ways how this can be done
> with AD.
>
> bye,
> Sumit
>
> >
> > --
> > Sean Roberts
>
> > _______________________________________________
> > sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> > To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> > Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
>
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
>
On Tue, Jan 8, 2019 at 12:20 PM Sumit Bose <sbose(a)redhat.com> wrote:
> On Tue, Jan 08, 2019 at 11:29:32AM +0000, Sean Roberts wrote:
> > I'm working on an AD where they've completely separate normal AD users
> and
> > POSIX users.
> > - AD: All employees have a user.
> > - POSIX: Certain employees get a separate user which is used for POSIX
> use
> > cases. *(Usernames are prefixed so they never collide). *Their groups are
> > only POSIX groups.
> >
> > How can SSSD get both sets of users and their groups?
> >
> > Could we create a separate [domain/...] for each? Would overrides in
> > [application/...] work?
> >
> > Currently SSSD is only getting the POSIX users and ldap_id_mapping=false
> is
> > set. We can't really disable that without massive `chown`s across all the
> > systems.
>
> Hi,
>
> I think have two [domain/...] sections for each set of users would be
> best. But it would be good to see your current sssd.conf (sanitized if
> needed) to better understand how the group memberships are defined for
> the POSIX users because there are multiple ways how this can be done
> with AD.
>
> bye,
> Sumit
>
> >
> > --
> > Sean Roberts
>
> > _______________________________________________
> > sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> > To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> > Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
>
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
>
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...