Yes, you can use your existing NIS servers for authorization AND use Kerberos for authentication - no need for sssd here. You just need to make sure all users in your NIS passwd table have also accounts in AD. Ondrej
On 10/16/2012 02:25 PM, Longina Przybyszewska wrote:
HI,
Thanks, but actually I asked if I can use _/Linux NIS/_ server for authorization.
You say I have to move NIS maps into AD and use Windows NIS – that means “no” ?. .
All users at my site have accounts in AD, and in addition, Linux users have Linux accounts in respective NIS domains.
In AD there are 3 domains for users accounts, in Linux, several other.
Can WINdows NIS manage multi domains?
I am not able to perform migration, as we have the Windows team dealing with MSWins and
have to wait until they WILL do that.
I have admin credentials but am not authorized to more than create user and computer account.
Saying so – is there anything I can do now with sssd, in the existing env ironment, to improve authentication on Linux (using AD Kerberos
for authentication and existing linux NIS server for the rest) ???
Best regards
*Longina Przybyszewska* Systemprogrammør, IT Services
Tel.
+45 6550 2359
Mobile
+45 6011 2359
Fax
+45 6550 2467
longina@sdu.dk
Web
http://www.sdu.dk/ansat/longina
Addr.
Campusvej 55, DK-5230 Odense M, Denmark
Description: C:\Documents and Settings\longina\Application Data\Microsoft\Signaturer\sduemaillogoUK.jpg
*Campusvej 55 · DK-5230 Odense M · Denmark · Tel. +45 6550 1000 · www.sdu.dk http://www.sdu.dk/*
*From:*sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] *On Behalf Of *Ondrej Valousek *Sent:* 16. oktober 2012 13:14 *To:* End-user discussions about the System Security Services Daemon *Subject:* Re: [SSSD-users] sssd and difrent repositories
Yes, it is. sssd will do the first task for you and for the second you need to install IDMU (Identity mgmt for Unix) and its migration assistant to migrate your maps into AD. Just note you will need Windows server 2003 R2 or newer for this (older AD schema is incompatible w/ sssd). Ondrej
On 10/16/2012 12:21 PM, Longina Przybyszewska wrote:
Hi list, I am going to set up proof-of -concept installation of Ubuntu (Precise) client/server using sssd to authenticate/authorize against Active Directory. At this moment everything seems to be a challenge - as I am exclusive (ok ;-) almost exclusive... ) hard core Linux user.
As our Windows team is not ready with AD schema for Unix - my first exercise could be -get login/ssh authenticate (and change passwd) against AD -get uid/gid/auto.home map/shell from existing Linux NIS server
Is my plan realistic ?
Best regards
Longina Przybyszewska Systemprogrammør, IT Services
Tel. +45 6550 2359 Mobile +45 6011 2359 Fax +45 6550 2467 Emaillongina@sdu.dk mailto:longina@sdu.dk Webhttp://www.sdu.dk/ansat/longina Addr. Campusvej 55, DK-5230 Odense M, Denmark
UNIVERSITY OF SOUTHERN DENMARK _______________________________________________________________ Campusvej 55 * DK-5230 * Odense M * Denmark * Tel. +45 6550 1000 *www.sdu.dk http://www.sdu.dk
-----Original Message----- From:sssd-users-bounces@lists.fedorahosted.org mailto:sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Jakub Hrozek Sent: 12. oktober 2012 22:40 To:sssd-devel@lists.fedorahosted.org mailto:sssd-devel@lists.fedorahosted.org;sssd-users@lists.fedorahosted.org mailto:sssd-users@lists.fedorahosted.org;freeipa-interest@redhat.com mailto:freeipa-interest@redhat.com Subject: [SSSD-users] Announcing SSSD 1.9.2
=== SSSD 1.9.2 ===The SSSD team is proud to announce the release of version 1.9.2 of the System Security Services Daemon.
This is mostly a bugfix release again. I am going to branch off the 1.9 branch from master so that we can start including the 1.10 features in master.
As always, the source is available fromhttps://fedorahosted.org/sssd
RPM packages will be made available for Fedora shortly, initially for F-18 and rawhide and later also backported to F-17.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights == * Users or groups from trusted domains can be retrieved by UID or GID as well * Several fixes that mitigate file descriptor leak during logins * SSH host keys are also removed from the cache after being removed from the server * Fix intermittent crash in responders if the responder was shutting down while requests were still pending * Catch an error condition that might have caused a tight loop in the sssd_nss process while refreshing expired enumeration request * Fixed memory hierarchy of subdomains discovery requests that caused use-after-free access bugs * The krb5_child and ldap_child processes can print libkrb5 tracing information in the debug logs
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/1008 Make sssd api conf file location configurable https://fedorahosted.org/sssd/ticket/1319 group lookups optimizations for IPA https://fedorahosted.org/sssd/ticket/1499 Add details about TGT validation to sssd-krb5 man page https://fedorahosted.org/sssd/ticket/1512 [sssd[krb5_child[PID]]]: Credential cache directory /run/user/UID/ccdir does not exist https://fedorahosted.org/sssd/ticket/1514 [abrt] sssd-1.8.4-13.fc16: __GI_exit: Process /usr/libexec/sssd/sssd_pam was killed by signal 6 (SIGABRT) https://fedorahosted.org/sssd/ticket/1539 Collect Krb5 Trace on High Debug Levels https://fedorahosted.org/sssd/ticket/1551 sssd_nss process hangs, stuck in loop; "self restart" does recover, but old process hangs around using 100% CPU https://fedorahosted.org/sssd/ticket/1561 getting user/group entry by uid/gid sometimes fails https://fedorahosted.org/sssd/ticket/1569 Use pam_set_data to close the fd in the pam module https://fedorahosted.org/sssd/ticket/1571 sssd_nss intermittent crash https://fedorahosted.org/sssd/ticket/1574 SSH host keys are not being removed from the cache
== Packaging Changes ==
* The libsss_sudo-devel package no longer contains the package-config file. The libsss_sudo-devel shared object has been moved to the libsss_sudo package.== Detailed Changelog ==
E Deon Lackey (1): * Fix language errors in the sssd-krb5.conf man page
Jakub Hrozek (14): * Bumping the version to 1.9.1 release * Fix uninitialized pointer read in ssh_host_pubkeys_update_known_hosts * Fix segfault when ID-mapping an entry without a SID * Fix memory hierarchy in subdomains discovery * PAM: close socket fd with pam_set_data * Couple of specfile fixes * Remove libsss_sudo.pc and move libsss_sudo.so to libsss_sudo * Two fixes to child processes * Collect krb5 trace on high debug levels * PAM: fix handling the client fd in pam destructor * Create ghost users when a user DN is encountered in IPA * Only call krb5_set_trace_callback on platforms that support it * MAN: improve wording of default_domain parameter * Updating the translations for the 1.9.2 release
Jan Cholasta (1): * SSH: When host keys are removed from LDAP, remove them from the cache as well
Ondrej Kos (1): * Add more info about ticket validation
Pavel Březina (3): * do not fail if POLLHUP occurs while reading data * do not call dp callbacks when responder is shutting down * nss_cmd_retpwent(): do not go into infinite loop if n< 0
Sumit Bose (3): * Save time of last get_domains request * Check for subdomains if getpwuid or getgrgid are the first requests * Allow extdom exop to return flat domain name as well
Thorsten Scherf (1): * Fixed: translation bug
Yuri Chornoivan (1): * Fix typos
sssd-users mailing list sssd-users@lists.fedorahosted.org mailto:sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org mailto:sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users