Sumit,
IT decides they won't let Linux server to join their domain.
They offered another service/API for UID/GID lookup.
Is there another way SSSD can do ID mapping and may be consume this other
service for UID/GID ? Every employee has a unique UID/GID in that service.
On Wed, Jan 16, 2019 at 2:21 AM Sumit Bose <sbose(a)redhat.com> wrote:
On Tue, Jan 15, 2019 at 02:19:33PM -0500, vadud3(a)gmail.com wrote:
> On Sat, Jan 12, 2019 at 12:22 PM John Hearns <hearnsj(a)googlemail.com>
wrote:
>
> > Emmm.. Do you need the AD Administrator password? Why?
> >
>
> I do not need that. I know that.
>
>
> >
> > If you need to join a Linux system to the AD domain you can ask the AD
> > administratoe to do this.
> > Or you can have a service account set up on AD which has the
permissions
> > to join to the domain.
> >
>
> Right, that is what Sumit suggested as well
>
> # realm join -U vadud3
ad.example.net
> Password for vadud3:
> See: journalctl REALMD_OPERATION=r10925.4111
> realm: Couldn't join realm: Insufficient permissions to join the domain
>
ad.example.net
>
> # journalctl REALMD_OPERATION=r10925.4111
> -- Logs begin at Tue 2019-01-15 08:11:19 PST, end at Tue 2019-01-15
> 11:14:40 PST. --
> Jan 15 11:13:24 centos7 realmd[4114]: * Resolving: _ldap._
>
tcp.ad.example.net
> Jan 15 11:13:24 centos7 realmd[4114]: * Performing LDAP DSE lookup on:
> 192.168.1.51
> Jan 15 11:13:25 centos7 realmd[4114]: * Successfully discovered:
>
ad.example.net
> Jan 15 11:13:30 centos7 realmd[4114]: * Required files:
/usr/sbin/oddjobd,
> /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net
> Jan 15 11:13:30 centos7 realmd[4114]: * LANG=C LOGNAME=root /usr/bin/net
> -s /var/cache/realmd/realmd-smb-conf.CDOLVZ -U vadud3 ads join
>
ad.example.net
> Jan 15 11:13:39 centos7 realmd[4114]: Enter vadud3's password:
> Jan 15 11:13:39 centos7 realmd[4114]: Failed to join domain: User
specified
> does not have administrator privileges
> Jan 15 11:13:39 centos7 realmd[4114]: ! Insufficient permissions to join
> the domain
ad.example.net
>
> So yes I will need an account with sufficient privilege to join AD
>
> Is there a way to talk to AD over a proxy. For our environment that will
> reduce number of firewall update request.
I think you typically use read-only domain controllers (RODC) in a
network segment where the clients are for this.
HTH
bye,
Sumit
>
>
>
>
>
>
>
> >
> >
> >
> >
> >
> >
> >
> > On Fri, 11 Jan 2019 at 16:03, <vadud3(a)gmail.com> wrote:
> >
> >>
> >>
> >> On Fri, Jan 11, 2019 at 6:50 AM Sumit Bose <sbose(a)redhat.com> wrote:
> >>
> >>> On Wed, Jan 09, 2019 at 12:47:34PM -0500, vadud3(a)gmail.com wrote:
> >>> > Looking for suggestion on ID mapping.
> >>> >
> >>> > I need to point to a ID provider over proxy
> >>> >
> >>> > I have not found a concrete solution or some hint about how to
setup a
> >>> > proxy to a ID provider and how sssd can point to that proxy for
ID
> >>> mapping.
> >>>
> >>> Can you rephrase your question? 'ID provider over proxy' should
like
you
> >>> want some more details about SSSD's proxy provider as described in
the
> >>> sssd.conf man page. But this is unrelated to what I associate
typically
> >>> with 'ID mapping'. Please give a bit more details about what
you are
> >>> trying to achieve.
> >>>
> >>>
> >> I am looking for a ID mapping solution. I do see following providers.
> >>
> >> “proxy”: Support a legacy NSS provider.
> >>
> >> “local”: SSSD internal provider for local users
(DEPRECATED).
> >>
> >> “files”: FILES provider. See sssd-files(5) for more
> >> information on how to mirror local users and groups into SSSD.
> >>
> >> “ldap”: LDAP provider. See sssd-ldap(5) for more
information
> >> on configuring LDAP.
> >>
> >> “ipa”: FreeIPA and Red Hat Enterprise Identity Management
> >> provider. See sssd-ipa(5) for more information on
> >> configuring FreeIPA.
> >>
> >> “ad”: Active Directory provider. See sssd-ad(5) for more
> >> information on configuring Active Directory.
> >>
> >> I am looking for a suggestion.
> >> ad - won't work as we will not be provided Administrator
> >> password
> >> ldap - won't work as IT says not to use LDAP and use
kerberos
> >> instead for all things UNIX auth
> >> and to use /etc/passwd for id (yikes, we have 100s
of
> >> servers to manage)
> >> files - I am not sure how to have a central files for all
> >> accounts
> >> local - seems deprecated
> >> proxy - I am not sure how to set that up, but seems like
> >> easier for a central ID provider?
> >>
> >> Please advise
> >>
> >>
> >>
> >>
> >>
> >>
> >>
> >>> bye,
> >>> Sumit
> >>>
> >>> >
> >>> > All my servers are CentOS 7.
> >>> >
> >>> >
> >>> > --
> >>> > Asif Iqbal
> >>> > PGP Key: 0xE62693C5 KeyServer:
pgp.mit.edu
> >>> > A: Because it messes up the order in which people normally read
text.
> >>> > Q: Why is top-posting such a bad thing?
> >>>
> >>> > _______________________________________________
> >>> > sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> >>> > To unsubscribe send an email to
> >>> sssd-users-leave(a)lists.fedorahosted.org
> >>> > Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> >>> > List Guidelines:
> >>>
https://fedoraproject.org/wiki/Mailing_list_guidelines
> >>> > List Archives:
> >>>
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> >>> _______________________________________________
> >>> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> >>> To unsubscribe send an email to
sssd-users-leave(a)lists.fedorahosted.org
> >>> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> >>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> >>> List Archives:
> >>>
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> >>>
> >>
> >>
> >> --
> >> Asif Iqbal
> >> PGP Key: 0xE62693C5 KeyServer:
pgp.mit.edu
> >> A: Because it messes up the order in which people normally read text.
> >> Q: Why is top-posting such a bad thing?
> >>
> >> _______________________________________________
> >> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> >> To unsubscribe send an email to
sssd-users-leave(a)lists.fedorahosted.org
> >> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> >> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> >> List Archives:
> >>
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> >>
> > _______________________________________________
> > sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> > To unsubscribe send an email to
sssd-users-leave(a)lists.fedorahosted.org
> > Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> >
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> >
>
>
> --
> Asif Iqbal
> PGP Key: 0xE62693C5 KeyServer:
pgp.mit.edu
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?