5:29 a.m.
I'm working on an AD where they've completely separate normal AD users and
POSIX users.
- AD: All employees have a user.
- POSIX: Certain employees get a separate user which is used for POSIX use
cases. *(Usernames are prefixed so they never collide). *Their groups are
only POSIX groups.
How can SSSD get both sets of users and their groups?
Could we create a separate [domain/...] for each? Would overrides in
[application/...] work?
Currently SSSD is only getting the POSIX users and ldap_id_mapping=false is
set. We can't really disable that without massive `chown`s across all the
systems.
--
Sean Roberts
6:20 a.m.
On Tue, Jan 08, 2019 at 11:29:32AM +0000, Sean Roberts wrote:
I'm working on an AD where they've completely separate normal
AD users and
POSIX users.
- AD: All employees have a user.
- POSIX: Certain employees get a separate user which is used for POSIX use
cases. *(Usernames are prefixed so they never collide). *Their groups are
only POSIX groups.
How can SSSD get both sets of users and their groups?
Could we create a separate [domain/...] for each? Would overrides in
[application/...] work?
Currently SSSD is only getting the POSIX users and ldap_id_mapping=false is
set. We can't really disable that without massive `chown`s across all the
systems.
Hi,
I think have two [domain/...] sections for each set of users would be
best. But it would be good to see your current sssd.conf (sanitized if
needed) to better understand how the group memberships are defined for
the POSIX users because there are multiple ways how this can be done
with AD.
bye,
Sumit
--
Sean Roberts
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
6:38 a.m.
Thanks.
Below is sssd.conf for the POSIX users.
Would making another domain group named [domain/INT.DOMAIN.COM] conflict?
Can we name it to identity what is different between them?
```
[sssd]
debug_level = 3
domains = int.domain.com
config_file_version = 2
reconnection_retries = 3
services = nss, pam
[nss]
reconnection_retries = 3
debug_level = 3
filter_groups = root
filter_users = root
[pam]
debug_level = 3
reconnection_retries = 3
[domain/int.domain.com]
debug_level = 3
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
access_provider = simple
simple_allow_groups = unix-admin, unix-backup, unix-sudo
ldap_group_nesting_level = 0
cache_credentials = true
min_id = 10000
max_id = 20000
enumerate = false
ldap_referrals = false
ldap_uri = ldaps://ldapad.int.domain.com/
ldap_id_mapping = False
ldap_schema = rfc2307
ldap_group_member = memberuid
ldap_search_base = dc=int,dc=domain,dc=com
ldap_user_object_class = user
ldap_group_object_class = group
ldap_user_home_directory = unixHomeDirectory
ldap_tls_reqcert = hard
ldap_default_bind_dn = ...
```
--
Sean Roberts
On Tue, Jan 8, 2019 at 12:20 PM Sumit Bose <sbose(a)redhat.com> wrote:
On Tue, Jan 08, 2019 at 11:29:32AM +0000, Sean Roberts wrote:
> I'm working on an AD where they've completely separate normal AD users
and
> POSIX users.
> - AD: All employees have a user.
> - POSIX: Certain employees get a separate user which is used for POSIX
use
> cases. *(Usernames are prefixed so they never collide). *Their groups are
> only POSIX groups.
>
> How can SSSD get both sets of users and their groups?
>
> Could we create a separate [domain/...] for each? Would overrides in
> [application/...] work?
>
> Currently SSSD is only getting the POSIX users and ldap_id_mapping=false
is
> set. We can't really disable that without massive `chown`s across all the
> systems.
Hi,
I think have two [domain/...] sections for each set of users would be
best. But it would be good to see your current sssd.conf (sanitized if
needed) to better understand how the group memberships are defined for
the POSIX users because there are multiple ways how this can be done
with AD.
bye,
Sumit
>
> --
> Sean Roberts
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
On Tue, Jan 8, 2019 at 12:20 PM Sumit Bose <sbose(a)redhat.com> wrote:
On Tue, Jan 08, 2019 at 11:29:32AM +0000, Sean Roberts wrote:
> I'm working on an AD where they've completely separate normal AD users
and
> POSIX users.
> - AD: All employees have a user.
> - POSIX: Certain employees get a separate user which is used for POSIX
use
> cases. *(Usernames are prefixed so they never collide). *Their groups are
> only POSIX groups.
>
> How can SSSD get both sets of users and their groups?
>
> Could we create a separate [domain/...] for each? Would overrides in
> [application/...] work?
>
> Currently SSSD is only getting the POSIX users and ldap_id_mapping=false
is
> set. We can't really disable that without massive `chown`s across all the
> systems.
Hi,
I think have two [domain/...] sections for each set of users would be
best. But it would be good to see your current sssd.conf (sanitized if
needed) to better understand how the group memberships are defined for
the POSIX users because there are multiple ways how this can be done
with AD.
bye,
Sumit
>
> --
> Sean Roberts
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
5:46 a.m.
On Tue, Jan 08, 2019 at 12:38:09PM +0000, Sean Roberts wrote:
Thanks.
Below is sssd.conf for the POSIX users.
Would making another domain group named [domain/INT.DOMAIN.COM] conflict?
Can we name it to identity what is different between them?
```
[sssd]
debug_level = 3
domains = int.domain.com
config_file_version = 2
reconnection_retries = 3
services = nss, pam
[nss]
reconnection_retries = 3
debug_level = 3
filter_groups = root
filter_users = root
[pam]
debug_level = 3
reconnection_retries = 3
[domain/int.domain.com]
debug_level = 3
id_provider = ldap
auth_provider = ldap
chpass_provider = ldap
access_provider = simple
simple_allow_groups = unix-admin, unix-backup, unix-sudo
ldap_group_nesting_level = 0
cache_credentials = true
min_id = 10000
max_id = 20000
enumerate = false
ldap_referrals = false
ldap_uri = ldaps://ldapad.int.domain.com/
ldap_id_mapping = False
ldap_schema = rfc2307
ldap_group_member = memberuid
ldap_search_base = dc=int,dc=domain,dc=com
ldap_user_object_class = user
ldap_group_object_class = group
ldap_user_home_directory = unixHomeDirectory
ldap_tls_reqcert = hard
ldap_default_bind_dn = ...
```
Thanks. So you are completely using the rfc2307 schema features of AD
including the group memberships.
In this case you can add a second domain ideally with id_provider=ad to
get the AD view of the users. The AD provider expects that the default
keytab /etc/krb5.keytab contains Kerberos credentials for the host to
access the LDAP service of the AD DCs. So it would be best to join the
domain e.g. with 'adcli'.
I really would recommend to use a completely different domain name, e.g.
the NetBIOS domain name of the AD domain. Although the domain names from
sssd.conf are trated case-sensitive the default behavior of the AD
provider is to treat all names case-insensitive to be in agreement with
the behavior of AD.
HTH
bye,
Sumit
--
Sean Roberts
On Tue, Jan 8, 2019 at 12:20 PM Sumit Bose <sbose(a)redhat.com> wrote:
> On Tue, Jan 08, 2019 at 11:29:32AM +0000, Sean Roberts wrote:
> > I'm working on an AD where they've completely separate normal AD users
> and
> > POSIX users.
> > - AD: All employees have a user.
> > - POSIX: Certain employees get a separate user which is used for POSIX
> use
> > cases. *(Usernames are prefixed so they never collide). *Their groups are
> > only POSIX groups.
> >
> > How can SSSD get both sets of users and their groups?
> >
> > Could we create a separate [domain/...] for each? Would overrides in
> > [application/...] work?
> >
> > Currently SSSD is only getting the POSIX users and ldap_id_mapping=false
> is
> > set. We can't really disable that without massive `chown`s across all the
> > systems.
>
> Hi,
>
> I think have two [domain/...] sections for each set of users would be
> best. But it would be good to see your current sssd.conf (sanitized if
> needed) to better understand how the group memberships are defined for
> the POSIX users because there are multiple ways how this can be done
> with AD.
>
> bye,
> Sumit
>
> >
> > --
> > Sean Roberts
>
> > _______________________________________________
> > sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> > To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
>
On Tue, Jan 8, 2019 at 12:20 PM Sumit Bose <sbose(a)redhat.com> wrote:
> On Tue, Jan 08, 2019 at 11:29:32AM +0000, Sean Roberts wrote:
> > I'm working on an AD where they've completely separate normal AD users
> and
> > POSIX users.
> > - AD: All employees have a user.
> > - POSIX: Certain employees get a separate user which is used for POSIX
> use
> > cases. *(Usernames are prefixed so they never collide). *Their groups are
> > only POSIX groups.
> >
> > How can SSSD get both sets of users and their groups?
> >
> > Could we create a separate [domain/...] for each? Would overrides in
> > [application/...] work?
> >
> > Currently SSSD is only getting the POSIX users and ldap_id_mapping=false
> is
> > set. We can't really disable that without massive `chown`s across all the
> > systems.
>
> Hi,
>
> I think have two [domain/...] sections for each set of users would be
> best. But it would be good to see your current sssd.conf (sanitized if
> needed) to better understand how the group memberships are defined for
> the POSIX users because there are multiple ways how this can be done
> with AD.
>
> bye,
> Sumit
>
> >
> > --
> > Sean Roberts
>
> > _______________________________________________
> > sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> > To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
>
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
1926
days inactive
1929
days old
sssd-users@lists.fedorahosted.org
3 comments
2 participants
participants (2)
-
Sean Roberts -
Sumit Bose