I wanted to point out exactly what sssd support is provided with regards to Active Directory. Windows workstation/server management is not one of them and I think it is important people understand that.
Most of the questions I get are around Windows configuration questions and due to that confusion people think sssd magically translates windows setting into compatible Linux equivalents.
That is not the case.
_______________________________________________On Mon, Sep 12, 2022 at 5:54 PM 昭翰 任 <zhaohan.ren@hotmail.com> wrote:
_______________________________________________Thanks Tomáš & Gregory for your response
You are right, sssd has some GPO related settings(e.g. ad_gpo_access_control/ad_gpo_implicit_deny/ad_gpo_cache_timeout/...), however there are for access control, not what I want. What I want is a customized GPO settings that AD could refresh/push to all the client side, for example:
I have an AD(winserver2012) and some clients(Win10, Ubuntu22.04), there is an ADMX policy which defines the max DPI that could be used when printing a document, this ADMX policy has been deployed correctly on the AD, what I expect is when I change the max DPI value on the AD, both Win10 and Ubuntu(maybe stored at somewhere on the disk?) could get the latest max DPI I setup on AD.
However I found Win10 could get the latest DPI value, but the Linux system doesn't get any update.
Does sssd support the scenario I described above?
BRs
From: Gregory Carter <gjcarter2@gmail.com>
Sent: Monday, September 12, 2022 16:44
To: End-user discussions about the System Security Services Daemon <sssd-users@lists.fedorahosted.org>
Subject: [SSSD-users] Re: AD refresh GPO to Ubuntu22.04Excellent, so please share with the list what windows settings I can use GPO on from my Linux box.
On Mon, Sep 12, 2022 at 2:44 AM Tomas Halman <thalman@redhat.com> wrote:
There actually is GPO support in SSSD.
Looking at the man page (sssd-ad), you have to use "ad" provider and tune few options regarding gpo, particularly ad_gpo_access_control and ad_gpo_implicit_deny.
If it is not working for you, can you share the sssd.conf? Eventually you can increase the SSSD debug_level and look into logs if there is something wrong with GPO evaluation.
HTHTomáš
On Sat, Sep 10, 2022 at 2:53 AM Gregory Carter <gjcarter2@gmail.com> wrote:
There is no such thing as a GPO for a LINUX box.
That being said I use Puppet to do basically the same thing. (i.e. Bring LINUX, MAC, Windows to bear on a common LDAP policy schema I created to enforce machine configurations, authentication and security policies.)
_______________________________________________On Fri, Sep 9, 2022 at 12:56 AM 任 昭翰 <zhaohan.ren@hotmail.com> wrote:
_______________________________________________Hi guys
I have a Ubuntu22.04 client which joined to an AD(winserver 2012) server by sssd + realm, in the AD I have a customized GPO, is it possible that the AD refresh/push the GPO to the Ubuntu machine? I also have a win10 client that also joined this AD, the win10 client could receive the GPO update successfully from the AD.
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
--
_______________________________________________Tomáš Halman
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue