Hi Friends,
As a security requirement, we have to migrate LDAP servers from one active directory domain to other active directory domain. Old active directory LDAP servers are providing unix attributes for linux servers(centos 7) while new active directory LDAP servers don't so we have to migrate unix attribute management to sssd, which will change userid and groupid of all users. Does SSSD provide feature to keep / store userid and groupid from old domain of users so we don't have change file ownership on linux server side for the files owned by active directory users?
Regards, Vjay
I don't think such a feature exists, but it should not be hard to build a table of the mappings (in an automated fashion, say using a bash or python script) and then write another script to use the table to rewrite file ownerships.
I've done this for a client before so know it is possible.
Chris Paul - Rex Consulting
On 7/13/20 4:19 AM, Vjay wrote:
Hi Friends,
As a security requirement, we have to migrate LDAP servers from one active directory domain to other active directory domain. Old active directory LDAP servers are providing unix attributes for linux servers(centos 7) while new active directory LDAP servers don't so we have to migrate unix attribute management to sssd, which will change userid and groupid of all users. Does SSSD provide feature to keep / store userid and groupid from old domain of users so we don't have change file ownership on linux server side for the files owned by active directory users?
Regards, Vjay _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.fedoraproject.org_... List Guidelines: https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wiki_... List Archives: https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.org_...
This email has been scanned for spam and viruses by Proofpoint Essentials. Visit the following link to report this email as spam: https://us1.proofpointessentials.com/index01.php?mod_id=11&mod_option=lo...
Thanks Chris for your reply. My only worry for that solution is we have some of the servers with huge storage attached in hundreds of terabytes and going through that huge storage will be a lengthy job and a long downtime for the application in case of shared storage.So I was thinking if a hard coding for existing users in sssd will make life more easier.
Well it's more a question on the number of files, not the hundreds of terabytes. The reassignment of ownership permissions to files operates on the inode of the file, not the file itself.
Chris Paul - Rex Consulting
On Mon, Jul 13, 2020 at 11:19:42AM -0000, Vjay wrote:
Hi Friends,
As a security requirement, we have to migrate LDAP servers from one active directory domain to other active directory domain. Old active directory LDAP servers are providing unix attributes for linux servers(centos 7) while new active directory LDAP servers don't so we have to migrate unix attribute management to sssd, which will change userid and groupid of all users. Does SSSD provide feature to keep / store userid and groupid from old domain of users so we don't have change file ownership on linux server side for the files owned by active directory users?
Hi,
while SSSD allows to define local overrides, see man sss_override for details, I would not recommend to use it in your case.
Afaik you can just migrate the unix attribute to the new AD DC. Although the unix attributes cannot be manage anymore in the 'Unix Attributes' tab of AD's 'Users and Computers' utility the underlying LDAP schema still supports those attributes. You can still edit the attributes with the 'Attribute Editor' tab which is available if you switch one 'Advanced Features' in the 'View' menu.
HTH
bye, Sumit
Regards, Vjay _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
You can use a real LDAP store (like 389 Server aka RHDS), while still using MS-Kerberos for your authentication. The real LDAP just becomes your attribute store, while AD continues to provides your KDC.
You'll need to change your mode for the SSSD domain from AD to the individual options for authentication (krb5), directory (ldap), including all of the schema/object differences that have to be manually entered in the SSSD domain block (as they will differ from 389 or OpenLDAP), etc... But it'll work, as long as you're using the real LDAP for your tree in the SSSD domain (and legacy ldap.conf).
You won't get all the AD features and LDAP won't be GSSAPI integrated with MS-Kerberos. But you'll get your Kerberos tickets for users, you can still get Keytabs cut from AD, all while your existing attributes will come over with thr sane UID, GID, etc...
sssd-users@lists.fedorahosted.org