On 18 May 2018, at 18:46, James Ralston <ralston(a)pobox.com>
We have a small development Active Directory domain where we have
several RHEL7 hosts.
We never extended our AD schema with the RFC2307 attributes
(uidNumber, gidNumber, et. al.). Instead, we just configured sssd
with ldap_id_mapping = true. It works fantastically well!
BUT: now we need to add several RHEL5 hosts to the domain.
The problem is that the RHEL5 version of sssd is 1.5.1, which is too
old to support ldap_id_mapping.
We looked briefly at what would be required to backport a more recent
version of sssd to RHEL5, and quickly abandoned that idea: we would
have to update multiple core system libraries to more recent versions
But we don't want to have to manually manage all accounts on the RHEL5
hosts. That would be extraordinarily tedious and error-prone.
We've kicked around a few ideas:
1. Add the RFC2307 attributes to Active Directory. Set the
(uidNumber, gidNumber) attributes by logging in to one of the RHEL7
hosts and observing what values sssd has mapped.
2. On one of our RHEL7 hosts, create a list of passwd/group entries
for users/groups we care about, and then distribute that list of
users/groups to the RHEL5 hosts.
We're leaning towards #1, because while it adds an additional step for
user/group creations in AD, it keeps all account management in AD, and
seems like the solution with the least amount of overhead. (Only a
handful of people need to be able to login to the RHEL5 systems, so we
could probably get away with only creating the (uidNumber, gidNumber)
attributes for the users/groups which need to be visible on those
Does anyone have any other suggestions on how to wrangle both RHEL5
and RHEL7 hosts with sssd?
Two other ideas:
- SSSD 1.15 should work on RHEL-5 (although I haven’t tried that in a long time) albeit
with some functionality, including the sssd-ad provider configured out. What you could use
though is the ldap id_provider with id-mapping manually enabled. You would have to set the
domain SID manually at least.
- As long as you don’t care about the IDs being the same on RHEL-5 and RHEL-7 machines,
maybe you could use winbind?
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines