Hi List,
Looks like the AD provider in sssd honors sAMAccountname attribute instead of the 'uid' (which is more in line with the RFC2307). Is this intentional or a bug?
Thanks, Ondrej
On Fri, Nov 01, 2013 at 09:36:05AM +0000, Ondrej Valousek wrote:
Hi List,
Looks like the AD provider in sssd honors sAMAccountname attribute instead of the 'uid' (which is more in line with the RFC2307). Is this intentional or a bug?
Thanks, Ondrej
Intentional, is UID guaranteed to be there in all setups even if RFC2307 attributes are not present on the AD side?
Yes it is guaranteed to be there (or we can safely assume so) if we use Ldap_id_mapping = False
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Jakub Hrozek Sent: Friday, November 01, 2013 10:52 AM To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] AD provider uses wrong user attribute?
On Fri, Nov 01, 2013 at 09:36:05AM +0000, Ondrej Valousek wrote:
Hi List,
Looks like the AD provider in sssd honors sAMAccountname attribute instead of the 'uid' (which is more in line with the RFC2307). Is this intentional or a bug?
Thanks, Ondrej
Intentional, is UID guaranteed to be there in all setups even if RFC2307 attributes are not present on the AD side? _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On 01/11/13 10:00, Ondrej Valousek wrote:
Yes it is guaranteed to be there (or we can safely assume so) if we use Ldap_id_mapping = False
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Jakub Hrozek Sent: Friday, November 01, 2013 10:52 AM To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] AD provider uses wrong user attribute?
On Fri, Nov 01, 2013 at 09:36:05AM +0000, Ondrej Valousek wrote:
Hi List,
Looks like the AD provider in sssd honors sAMAccountname attribute instead of the 'uid' (which is more in line with the RFC2307). Is this intentional or a bug?
Thanks, Ondrej
Intentional, is UID guaranteed to be there in all setups even if RFC2307 attributes are not present on the AD side? _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
I wouldn't like to bet on 'uid' being there on Samba4 AD if the user is created with samba-tool, 'uid' is an optional attribute.
Rowland
In ADUC, if you tick on User "Unix attributes" and populate it, uid is automatically set on. Not sure if Samba even populates RFC attributes - guess you need to use ldap_id_mapping=true w/ Samba. Ondrej
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Rowland Penny Sent: Friday, November 01, 2013 11:13 AM To: End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] AD provider uses wrong user attribute?
On 01/11/13 10:00, Ondrej Valousek wrote:
Yes it is guaranteed to be there (or we can safely assume so) if we use Ldap_id_mapping = False
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Jakub Hrozek Sent: Friday, November 01, 2013 10:52 AM To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] AD provider uses wrong user attribute?
On Fri, Nov 01, 2013 at 09:36:05AM +0000, Ondrej Valousek wrote:
Hi List,
Looks like the AD provider in sssd honors sAMAccountname attribute instead of the 'uid' (which is more in line with the RFC2307). Is this intentional or a bug?
Thanks, Ondrej
Intentional, is UID guaranteed to be there in all setups even if RFC2307 attributes are not present on the AD side? _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
I wouldn't like to bet on 'uid' being there on Samba4 AD if the user is created with samba-tool, 'uid' is an optional attribute.
Rowland
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On 01/11/13 11:21, Ondrej Valousek wrote:
In ADUC, if you tick on User "Unix attributes" and populate it, uid is automatically set on. Not sure if Samba even populates RFC attributes - guess you need to use ldap_id_mapping=true w/ Samba. Ondrej
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Rowland Penny Sent: Friday, November 01, 2013 11:13 AM To: End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] AD provider uses wrong user attribute?
On 01/11/13 10:00, Ondrej Valousek wrote:
Yes it is guaranteed to be there (or we can safely assume so) if we use Ldap_id_mapping = False
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Jakub Hrozek Sent: Friday, November 01, 2013 10:52 AM To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] AD provider uses wrong user attribute?
On Fri, Nov 01, 2013 at 09:36:05AM +0000, Ondrej Valousek wrote:
Hi List,
Looks like the AD provider in sssd honors sAMAccountname attribute instead of the 'uid' (which is more in line with the RFC2307). Is this intentional or a bug?
Thanks, Ondrej
Intentional, is UID guaranteed to be there in all setups even if RFC2307 attributes are not present on the AD side? _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
I wouldn't like to bet on 'uid' being there on Samba4 AD if the user is created with samba-tool, 'uid' is an optional attribute.
Rowland
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
With samba-tool you have to add the RFC2307 attributes separately and even then it does not work just like ADUC, for instance, samba4 does not have ' msSFU30MaxUidNumber' or 'msSFU30MaxGidNumber' attributes and samba-tool adds the posixAccount & posixGroup objectClasses that ADUC doesn't.
Rowland
Understood, but it is not important.
Both directories (AD & Samba) do know about the uid attribute & RFC3207 dictates its usage so: 1. If samba-tool does not populate it, then it is a bug in Samba which should be fixed 2. If sssd does not honor this attribute when running in RFC2307 compatibility mode, then it is a bug and should be fixed as well
Ondrej
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Rowland Penny Sent: Friday, November 01, 2013 1:09 PM To: End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] AD provider uses wrong user attribute?
On 01/11/13 11:21, Ondrej Valousek wrote:
In ADUC, if you tick on User "Unix attributes" and populate it, uid is automatically set on. Not sure if Samba even populates RFC attributes - guess you need to use ldap_id_mapping=true w/ Samba. Ondrej
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Rowland Penny Sent: Friday, November 01, 2013 11:13 AM To: End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] AD provider uses wrong user attribute?
On 01/11/13 10:00, Ondrej Valousek wrote:
Yes it is guaranteed to be there (or we can safely assume so) if we use Ldap_id_mapping = False
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Jakub Hrozek Sent: Friday, November 01, 2013 10:52 AM To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] AD provider uses wrong user attribute?
On Fri, Nov 01, 2013 at 09:36:05AM +0000, Ondrej Valousek wrote:
Hi List,
Looks like the AD provider in sssd honors sAMAccountname attribute instead of the 'uid' (which is more in line with the RFC2307). Is this intentional or a bug?
Thanks, Ondrej
Intentional, is UID guaranteed to be there in all setups even if RFC2307 attributes are not present on the AD side? _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
I wouldn't like to bet on 'uid' being there on Samba4 AD if the user is created with samba-tool, 'uid' is an optional attribute.
Rowland
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
With samba-tool you have to add the RFC2307 attributes separately and even then it does not work just like ADUC, for instance, samba4 does not have ' msSFU30MaxUidNumber' or 'msSFU30MaxGidNumber' attributes and samba-tool adds the posixAccount & posixGroup objectClasses that ADUC doesn't.
Rowland
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Ondrej Valousek wrote:
Both directories (AD & Samba) do know about the uid attribute & RFC3207 dictates its usage so:
Most AD deployments of my customers have empty 'uid' attribute. Changing this in enterprises with hundreds of domain controllers is a large change involving discussion in various management boards.
=> use sAMAccountName as default with AD provider is recommended.
Ciao, Michael.
Right, are you using RCF2307 at all then? If yes, how did they populate those attributes? AFAIK most admins do not know/care about RFC2307 so they leave sssd to do its mapping... O. ________________________________________ From: sssd-users-bounces@lists.fedorahosted.org [sssd-users-bounces@lists.fedorahosted.org] on behalf of Michael Ströder [michael@stroeder.com] Sent: Friday, November 01, 2013 3:32 PM To: End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] AD provider uses wrong user attribute?
Ondrej Valousek wrote:
Both directories (AD & Samba) do know about the uid attribute & RFC3207 dictates its usage so:
Most AD deployments of my customers have empty 'uid' attribute. Changing this in enterprises with hundreds of domain controllers is a large change involving discussion in various management boards.
=> use sAMAccountName as default with AD provider is recommended.
Ciao, Michael.
On Fri, Nov 01, 2013 at 11:21:10AM +0000, Ondrej Valousek wrote:
In ADUC, if you tick on User "Unix attributes" and populate it, uid is automatically set on. Not sure if Samba even populates RFC attributes - guess you need to use ldap_id_mapping=true w/ Samba. Ondrej
But using UNIX attributes is optional with the AD provider, the AD provider must work well with defaults. I think you can override the attribute with ldap_user_name config option instead.
But the whole set of the RFC2307 attributes in AD are optional, right? What I am saying is, that IF an administrator decides to make an use of those, we should honore the whole set, nut just a few of these.
Another use case: In AD you can not have a user and group with the same name (i.e. sAMAccountname). In Unix you can. If sssd honored uid by default, you could workaround this AD restriction by manually specifying uid (ADUC sets it to sAMAcountname value)
Ondrej
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Jakub Hrozek Sent: Friday, November 01, 2013 1:45 PM To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] AD provider uses wrong user attribute?
On Fri, Nov 01, 2013 at 11:21:10AM +0000, Ondrej Valousek wrote:
In ADUC, if you tick on User "Unix attributes" and populate it, uid is automatically set on. Not sure if Samba even populates RFC attributes - guess you need to use ldap_id_mapping=true w/ Samba. Ondrej
But using UNIX attributes is optional with the AD provider, the AD provider must work well with defaults. I think you can override the attribute with ldap_user_name config option instead. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users@lists.fedorahosted.org