On Wed, Jun 28, 2017 at 01:03:45PM -0400, Chris Dagdigian via FreeIPA-users wrote:
I have a set of servers that CANNOT become enrolled IDM clients due to a
vendor refusing to support this type of config.
This server fleet is directly bound to an AD system via the standard non-IPA
"realm join ..." type commands
Since I can't bring these servers "into the fold" so to speak at the very
least I would love to offset at least one potential future problem by seeing
if I can help them configure sssd.conf on their local machines to use the
same AD SID-to-UID algorithm (complete with custom ID Range values that we
have enabled on the IPA master) so that they at least get the same UID and
GID values for their AD users as the same user would get if they logged into
the much larger fleet of IDM-managed servers.
Hope I'm asking the question properly -- in a nutshell I'm wondering how to
trick a standalone sssd.conf file so that it uses the same SID-to-UID
algorithm that an IDM master would use. This would at least let me get
consistent UID/GID values across my fleet of enrolled vs. non-enrolled IDM
clients ! Tips or advice appreciated even if the response is "heck no; you
can't do that .. "
So is the requirement absolutely to have the machines enrolled as part
of the AD domain?
If not, have you considered pointing the clients towards the compat tree
and using a plain LDAP setup, if your vendor supports that?