You can use a real LDAP store (like 389 Server aka RHDS), while still using MS-Kerberos for your authentication. The real LDAP just becomes your attribute store, while AD continues to provides your KDC. 

You'll need to change your mode for the SSSD domain from AD to the individual options for authentication (krb5), directory (ldap), including all of the schema/object differences that have to be manually entered in the SSSD domain block (as they will differ from 389 or OpenLDAP), etc... But it'll work, as long as you're using the real LDAP for your tree in the SSSD domain (and legacy ldap.conf).

You won't get all the AD features and LDAP won't be GSSAPI integrated with MS-Kerberos. But you'll get your Kerberos tickets for users, you can still get Keytabs cut from AD, all while your existing attributes will come over with thr sane UID, GID, etc... 



--
Sent from my Moto G7 Power, apologies for any brevity as well as the satanic versus of autocorrect
Bryan J Smith - http://linkedin.com/in/bjsmith
   

On Tue, Aug 4, 2020, 01:16 Sumit Bose <sbose@redhat.com> wrote:
On Mon, Jul 13, 2020 at 11:19:42AM -0000, Vjay  wrote:
> Hi Friends,
>
> As a security requirement, we have to migrate LDAP servers from one active directory domain to other active directory domain. Old active directory LDAP servers are providing unix attributes for linux servers(centos 7) while new active directory LDAP servers don't so we have to migrate unix attribute management to sssd, which will change userid and groupid of all users.
> Does SSSD provide feature to keep / store userid and groupid from old domain of users so we don't have change file ownership on linux server side for the files owned by active directory users?

Hi,

while SSSD allows to define local overrides, see man sss_override for
details, I would not recommend to use it in your case.

Afaik you can just migrate the unix attribute to the new AD DC. Although
the unix attributes cannot be manage anymore in the 'Unix Attributes'
tab of AD's 'Users and Computers' utility the underlying LDAP schema
still supports those attributes. You can still edit the attributes with
the 'Attribute Editor' tab which is available if you switch one
'Advanced Features' in the 'View' menu.

HTH

bye,
Sumit

>
> Regards,
> Vjay
> _______________________________________________
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org