On Tue, Jan 15, 2019 at 02:19:33PM -0500, vadud3(a)gmail.com wrote:
On Sat, Jan 12, 2019 at 12:22 PM John Hearns
<hearnsj(a)googlemail.com> wrote:
> Emmm.. Do you need the AD Administrator password? Why?
>
I do not need that. I know that.
>
> If you need to join a Linux system to the AD domain you can ask the AD
> administratoe to do this.
> Or you can have a service account set up on AD which has the permissions
> to join to the domain.
>
Right, that is what Sumit suggested as well
# realm join -U vadud3
ad.example.net
Password for vadud3:
See: journalctl REALMD_OPERATION=r10925.4111
realm: Couldn't join realm: Insufficient permissions to join the domain
ad.example.net
# journalctl REALMD_OPERATION=r10925.4111
-- Logs begin at Tue 2019-01-15 08:11:19 PST, end at Tue 2019-01-15
11:14:40 PST. --
Jan 15 11:13:24 centos7 realmd[4114]: * Resolving: _ldap._
tcp.ad.example.net
Jan 15 11:13:24 centos7 realmd[4114]: * Performing LDAP DSE lookup on:
192.168.1.51
Jan 15 11:13:25 centos7 realmd[4114]: * Successfully discovered:
ad.example.net
Jan 15 11:13:30 centos7 realmd[4114]: * Required files: /usr/sbin/oddjobd,
/usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net
Jan 15 11:13:30 centos7 realmd[4114]: * LANG=C LOGNAME=root /usr/bin/net
-s /var/cache/realmd/realmd-smb-conf.CDOLVZ -U vadud3 ads join
ad.example.net
Jan 15 11:13:39 centos7 realmd[4114]: Enter vadud3's password:
Jan 15 11:13:39 centos7 realmd[4114]: Failed to join domain: User specified
does not have administrator privileges
Jan 15 11:13:39 centos7 realmd[4114]: ! Insufficient permissions to join
the domain
ad.example.net
So yes I will need an account with sufficient privilege to join AD
Is there a way to talk to AD over a proxy. For our environment that will
reduce number of firewall update request.
I think you typically use read-only domain controllers (RODC) in a
network segment where the clients are for this.
HTH
bye,
Sumit
>
>
>
>
>
>
>
> On Fri, 11 Jan 2019 at 16:03, <vadud3(a)gmail.com> wrote:
>
>>
>>
>> On Fri, Jan 11, 2019 at 6:50 AM Sumit Bose <sbose(a)redhat.com> wrote:
>>
>>> On Wed, Jan 09, 2019 at 12:47:34PM -0500, vadud3(a)gmail.com wrote:
>>> > Looking for suggestion on ID mapping.
>>> >
>>> > I need to point to a ID provider over proxy
>>> >
>>> > I have not found a concrete solution or some hint about how to setup a
>>> > proxy to a ID provider and how sssd can point to that proxy for ID
>>> mapping.
>>>
>>> Can you rephrase your question? 'ID provider over proxy' should like
you
>>> want some more details about SSSD's proxy provider as described in the
>>> sssd.conf man page. But this is unrelated to what I associate typically
>>> with 'ID mapping'. Please give a bit more details about what you
are
>>> trying to achieve.
>>>
>>>
>> I am looking for a ID mapping solution. I do see following providers.
>>
>> “proxy”: Support a legacy NSS provider.
>>
>> “local”: SSSD internal provider for local users (DEPRECATED).
>>
>> “files”: FILES provider. See sssd-files(5) for more
>> information on how to mirror local users and groups into SSSD.
>>
>> “ldap”: LDAP provider. See sssd-ldap(5) for more information
>> on configuring LDAP.
>>
>> “ipa”: FreeIPA and Red Hat Enterprise Identity Management
>> provider. See sssd-ipa(5) for more information on
>> configuring FreeIPA.
>>
>> “ad”: Active Directory provider. See sssd-ad(5) for more
>> information on configuring Active Directory.
>>
>> I am looking for a suggestion.
>> ad - won't work as we will not be provided Administrator
>> password
>> ldap - won't work as IT says not to use LDAP and use kerberos
>> instead for all things UNIX auth
>> and to use /etc/passwd for id (yikes, we have 100s of
>> servers to manage)
>> files - I am not sure how to have a central files for all
>> accounts
>> local - seems deprecated
>> proxy - I am not sure how to set that up, but seems like
>> easier for a central ID provider?
>>
>> Please advise
>>
>>
>>
>>
>>
>>
>>
>>> bye,
>>> Sumit
>>>
>>> >
>>> > All my servers are CentOS 7.
>>> >
>>> >
>>> > --
>>> > Asif Iqbal
>>> > PGP Key: 0xE62693C5 KeyServer:
pgp.mit.edu
>>> > A: Because it messes up the order in which people normally read text.
>>> > Q: Why is top-posting such a bad thing?
>>>
>>> > _______________________________________________
>>> > sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
>>> > To unsubscribe send an email to
>>> sssd-users-leave(a)lists.fedorahosted.org
>>> > Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
>>> > List Guidelines:
>>>
https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> > List Archives:
>>>
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
>>> _______________________________________________
>>> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
>>> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
>>> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
>>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>>> List Archives:
>>>
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
>>>
>>
>>
>> --
>> Asif Iqbal
>> PGP Key: 0xE62693C5 KeyServer:
pgp.mit.edu
>> A: Because it messes up the order in which people normally read text.
>> Q: Why is top-posting such a bad thing?
>>
>> _______________________________________________
>> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
>> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
>> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>>
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
>>
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
>
--
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer:
pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...