On Tue, Jan 08, 2019 at 11:29:32AM +0000, Sean Roberts wrote:
> I'm working on an AD where they've completely separate normal AD users and
> POSIX users.
> - AD: All employees have a user.
> - POSIX: Certain employees get a separate user which is used for POSIX use
> cases. *(Usernames are prefixed so they never collide). *Their groups are
> only POSIX groups.
>
> How can SSSD get both sets of users and their groups?
>
> Could we create a separate [domain/...] for each? Would overrides in
> [application/...] work?
>
> Currently SSSD is only getting the POSIX users and ldap_id_mapping=false is
> set. We can't really disable that without massive `chown`s across all the
> systems.
Hi,
I think have two [domain/...] sections for each set of users would be
best. But it would be good to see your current sssd.conf (sanitized if
needed) to better understand how the group memberships are defined for
the POSIX users because there are multiple ways how this can be done
with AD.
bye,
Sumit
>
> --
> Sean Roberts
> _______________________________________________
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
On Tue, Jan 08, 2019 at 11:29:32AM +0000, Sean Roberts wrote:
> I'm working on an AD where they've completely separate normal AD users and
> POSIX users.
> - AD: All employees have a user.
> - POSIX: Certain employees get a separate user which is used for POSIX use
> cases. *(Usernames are prefixed so they never collide). *Their groups are
> only POSIX groups.
>
> How can SSSD get both sets of users and their groups?
>
> Could we create a separate [domain/...] for each? Would overrides in
> [application/...] work?
>
> Currently SSSD is only getting the POSIX users and ldap_id_mapping=false is
> set. We can't really disable that without massive `chown`s across all the
> systems.
Hi,
I think have two [domain/...] sections for each set of users would be
best. But it would be good to see your current sssd.conf (sanitized if
needed) to better understand how the group memberships are defined for
the POSIX users because there are multiple ways how this can be done
with AD.
bye,
Sumit
>
> --
> Sean Roberts
> _______________________________________________
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org