On Sat, Jul 19, 2014 at 02:42:46PM +0100, Rowland Penny wrote:
On 18/07/14 20:50, Dmitri Pal wrote:
>On 07/18/2014 03:19 PM, Rowland Penny wrote:
>>On 18/07/14 20:03, Dmitri Pal wrote:
>>>On 07/18/2014 11:53 AM, Rowland Penny wrote:
>>>>On 18/07/14 16:18, Jakub Hrozek wrote:
>>>>>On Thu, Jul 10, 2014 at 11:20:10AM +0100, Rowland Penny wrote:
>>>>>>Any suggest to what I check next??
>>>>>Sorry for the delayed reply.
>>>>>
>>>>>Looks like an ACI problem to me, the first search binds as
>>>>>NETBOOK$(a)EXAMPLE.COM, the second as
>>>>>cn=Administrator,cn=Users,dc=example,dc=com
>>>>>_______________________________________________
>>>>>sssd-users mailing list
>>>>>sssd-users(a)lists.fedorahosted.org
>>>>>https://lists.fedorahosted.org/mailman/listinfo/sssd-users
>>>>ER, could you please expand 'ACI' for me, I haven't a clue
what you
>>>>are talking about ;-)
>>>
>>>Access Control Instructions in LDAP on the server side.
>>>In one case the account has privileges to get information and in other
>>>it does not. You need to change permission on the server for the SSSD
>>>account to have permission to do the search.
>>>
>>Thanks, you have confirmed what I thought was going on, have you any
>>idea how I can give machines the required rights in Active Directory or
>>can you point me at a webpage that explains how to do it?
>
>Sorry, no. I would defer to technical gurus to chime in on Monday.
>
>>
>>Rowland
>>_______________________________________________
>>sssd-users mailing list
>>sssd-users(a)lists.fedorahosted.org
>>https://lists.fedorahosted.org/mailman/listinfo/sssd-users
>
>
OK, I have now got sudo to work on my laptop, but the only way I could find
was to add the laptop to Domain Admins. This confirms that it is a
permissions problem, but I do not think adding every linux computer to
Domain Admins is really a good idea.
No, it's not :-)
So where do we go from here ?? will sssd & sudo work out of the box on any
linux distro against AD ?
No, because sudo is not present on the AD side out of the box. I assume
you had to add the entries yourself anyway to the AD server, including
extending the schema, so it really depends on how you setup the AD
server.
Normally I use ADSI Edit to adit the permissions. If you right-click the
sudo container in ADSI, select properties and then go to the Security Tab,
do you "Authenticated users" there ? btw I'm using Windows Server 2012,
not sure if the dialogs look any different in earlier versions.
Also there were a couple of questions on the subject lately so I wrote
up what I did for testing here:
https://jhrozek.livejournal.com/3860.html