On 21/07/14 07:03, Jakub Hrozek wrote:
On Sat, Jul 19, 2014 at 02:42:46PM +0100, Rowland Penny wrote:
> On 18/07/14 20:50, Dmitri Pal wrote:
>> On 07/18/2014 03:19 PM, Rowland Penny wrote:
>>> On 18/07/14 20:03, Dmitri Pal wrote:
>>>> On 07/18/2014 11:53 AM, Rowland Penny wrote:
>>>>> On 18/07/14 16:18, Jakub Hrozek wrote:
>>>>>> On Thu, Jul 10, 2014 at 11:20:10AM +0100, Rowland Penny wrote:
>>>>>>> Any suggest to what I check next??
>>>>>> Sorry for the delayed reply.
>>>>>> Looks like an ACI problem to me, the first search binds as
>>>>>> NETBOOK$(a)EXAMPLE.COM, the second as
>>>>>> sssd-users mailing list
>>>>> ER, could you please expand 'ACI' for me, I haven't a
clue what you
>>>>> are talking about ;-)
>>>> Access Control Instructions in LDAP on the server side.
>>>> In one case the account has privileges to get information and in other
>>>> it does not. You need to change permission on the server for the SSSD
>>>> account to have permission to do the search.
>>> Thanks, you have confirmed what I thought was going on, have you any
>>> idea how I can give machines the required rights in Active Directory or
>>> can you point me at a webpage that explains how to do it?
>> Sorry, no. I would defer to technical gurus to chime in on Monday.
>>> sssd-users mailing list
> OK, I have now got sudo to work on my laptop, but the only way I could find
> was to add the laptop to Domain Admins. This confirms that it is a
> permissions problem, but I do not think adding every linux computer to
> Domain Admins is really a good idea.
No, it's not :-)
> So where do we go from here ?? will sssd & sudo work out of the box on any
> linux distro against AD ?
No, because sudo is not present on the AD side out of the box. I assume
you had to add the entries yourself anyway to the AD server, including
extending the schema, so it really depends on how you setup the AD
I am using a samba4 server and yes I did extend the schema and added the
sudo rules, but I did ALL of this on the Debian wheezy backports server.
Normally I use ADSI Edit to adit the permissions. If you right-click the
sudo container in ADSI, select properties and then go to the Security Tab,
do you "Authenticated users" there ? btw I'm using Windows Server 2012,
not sure if the dialogs look any different in earlier versions.
So what you are saying is, to get a UNIX program to work on a UNIX
machine running against a UNIX AD DC, you have to to set it up on a
WINDOWS machine ??? What happens if you do not have a windows machine or
if you do, you don't have ADSI Edit ??
Also there were a couple of questions on the subject lately so I wrote
up what I did for testing here:
Yes, I read that, amongst lots of other things, none of which said that
you definitely had to get windows involved.
This is quite likely the biggest bug I personally have ever heard of ;-)
sssd-users mailing list