I read it as:
- Configuring automount with Kereberos authentication and more automount
information.
- Using trusted domains with non-qualified names (shortnames).
- How auto-discovery of trusted domains works.
- How auto-discovery of AD site works.
Correct me if I'm wrong. Also I added some more comments bellow.
On 5/13/21 1:05 PM, Paweł Szafer wrote:
Hi,
I'm coming from other OS - Arch Linux. So from my point of view:
* for NSS you pasted full config file and it is great
https://sssd.io/docs/ad/ad-provider-manual.html#nss-pam-configuration
* do the same for pam.d config so nobody gets confused
This is problematic, since pam config has little but important
differences between distributions (I remember a critical security issue
when some distro copy&pasted Fedora configuration).
We can provide sample config for Fedora since that's what we use but we
would like to rely on community to provide samples for other distributions.
* add info on which sssd/krb5 version it was tested, so it would
be
easier to troubleshoot if there is too old or too new sssd
Ack.
* I'd like to see some manual how to properly configure
automount with
AD with krb5 ticket authentication
* some extra info about systemd-automount, if possible, if would work
with DFS etc, as systemd-automount get's more popular (autofs was
for some reason removed from Arch repos :( )
* maybe what is possible to fetch with GPO for Linux (printers with
CUPS, shares with automount?), I read only this
https://sssd.io/design-pages/active_directory_gpo_integration.html
* more screenshots how to configure GPO, LDAP schema in Windows eg. I
see in man sssd-ad line "When the autofs provider is set to “ad”,
the RFC2307 schema attribute mapping (nisMap, nisObject, ...) is
used, because these attributes are included in the default Active
Directory schema.". It would be extra feature to read more on your
website with screenshots
* maybe PAM.D + AD configure of Smartcard implementation
* I can't find myself in menu schema. I googled this site:
https://sssd.io/design-pages/autofs_integration.html ; I have no
idea how to get there if coming from htttps://sssd.io <
http://sssd.io>
Would it help if "List of Design Pages" is highlighted in this case?
Anyway, nowadays SSSD has great docs anyway! Thanks for your work!
Thanks for the feedback.
-----
Pawel
śr., 12 maj 2021 o 23:15 Spike White <spikewhitetx(a)gmail.com
<mailto:spikewhitetx@gmail.com>> napisał(a):
Pavel,
To me, what was most helpful in the old documentation was the
architectural discussions embedded in the enhancement requests.
When the requests were satisfied.
Examples:
use of short names in non-local domains
auto-discovery of trusted domains
For instance, until I read that discussion I was unaware that if you
turned off auto-discovery and explicitly defined each child domain,
that sssd would no longer contact the global catalog (GC) and thus,
full membership in universal groups was not found. Only if you
turned on auto-discovery did the sssd code query the GC. this is
not intuitive, so having that documentation was a great help.
Another example is the discussion of that better discovery algorithm
for AD DCs. It came out in a recent sssd release, maybe in the
last 6-9 months. But I can't find that algorithm discussion now.
Spike
On Wed, May 12, 2021 at 7:15 AM Pavel Březina <pbrezina(a)redhat.com
<mailto:pbrezina@redhat.com>> wrote:
Dear SSSD community,
we have recently introduced new SSSD project web page at
https://sssd.io. We would like to keep adding new content, we have
plenty of ideas but we would also like to get some tips from you:
What articles would you like to see on the page? What knowledge
gaps are
hard to fill with existing documentation? Feel free to suggest
both user
and developer facing content.
Thanks,
Pavel
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
<mailto:sssd-users@lists.fedorahosted.org>
To unsubscribe send an email to
sssd-users-leave(a)lists.fedorahosted.org
<mailto:sssd-users-leave@lists.fedorahosted.org>
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
<mailto:sssd-users@lists.fedorahosted.org>
To unsubscribe send an email to
sssd-users-leave(a)lists.fedorahosted.org
<mailto:sssd-users-leave@lists.fedorahosted.org>
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure