11:10 p.m.
I wanted to point out exactly what sssd support is provided with regards to
Active Directory. Windows workstation/server management is not one of them
and I think it is important people understand that.
Most of the questions I get are around Windows configuration questions and
due to that confusion people think sssd magically translates windows
setting into compatible Linux equivalents.
That is not the case.
On Mon, Sep 12, 2022 at 5:54 PM 昭翰 任 <zhaohan.ren(a)hotmail.com> wrote:
Thanks Tomáš & Gregory for your response
You are right, sssd has some GPO related
settings(e.g. ad_gpo_access_control/ad_gpo_implicit_deny/ad_gpo_cache_timeout/...),
however there are for access control, not what I want. What I want is a
customized GPO settings that AD could refresh/push to all the client side,
for example:
I have an AD(winserver2012) and some clients(Win10, Ubuntu22.04), there is
an ADMX policy which defines the max DPI that could be used when printing a
document, this ADMX policy has been deployed correctly on the AD, what I
expect is when I change the max DPI value on the AD, both Win10 and
Ubuntu(maybe stored at somewhere on the disk?) could get the latest max DPI
I setup on AD.
However I found Win10 could get the latest DPI value, but the Linux system
doesn't get any update.
Does sssd support the scenario I described above?
BRs
------------------------------
*From:* Gregory Carter <gjcarter2(a)gmail.com>
*Sent:* Monday, September 12, 2022 16:44
*To:* End-user discussions about the System Security Services Daemon <
sssd-users(a)lists.fedorahosted.org>
*Subject:* [SSSD-users] Re: AD refresh GPO to Ubuntu22.04
Excellent, so please share with the list what windows settings I can use
GPO on from my Linux box.
On Mon, Sep 12, 2022 at 2:44 AM Tomas Halman <thalman(a)redhat.com> wrote:
There actually is GPO support in SSSD.
Looking at the man page (sssd-ad), you have to use "ad" provider and tune
few options regarding gpo, particularly ad_gpo_access_control and
ad_gpo_implicit_deny.
If it is not working for you, can you share the sssd.conf? Eventually you
can increase the SSSD debug_level and look into logs if there is something
wrong with GPO evaluation.
HTH
Tomáš
On Sat, Sep 10, 2022 at 2:53 AM Gregory Carter <gjcarter2(a)gmail.com>
wrote:
There is no such thing as a GPO for a LINUX box.
That being said I use Puppet to do basically the same thing. (i.e. Bring
LINUX, MAC, Windows to bear on a common LDAP policy schema I created to
enforce machine configurations, authentication and security policies.)
On Fri, Sep 9, 2022 at 12:56 AM 任 昭翰 <zhaohan.ren(a)hotmail.com> wrote:
Hi guys
I have a Ubuntu22.04 client which joined to an AD(winserver 2012) server
by sssd + realm, in the AD I have a customized GPO, is it possible that the
AD refresh/push the GPO to the Ubuntu machine? I also have a win10 client
that also joined this AD, the win10 client could receive the GPO update
successfully from the AD.
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
--
Tomáš Halman
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
4:19 a.m.
New subject: 回复: Re: AD refresh GPO to Ubuntu22.04
In that case Gregory is right, SSSD cares about the access control.
I thought that you were looking for this kind of functionality. Sorry for
misunderstanding...
Tom
On Tue, Sep 13, 2022 at 6:11 AM Gregory Carter <gjcarter2(a)gmail.com> wrote:
I wanted to point out exactly what sssd support is provided with
regards
to Active Directory. Windows workstation/server management is not one of
them and I think it is important people understand that.
Most of the questions I get are around Windows configuration questions and
due to that confusion people think sssd magically translates windows
setting into compatible Linux equivalents.
That is not the case.
On Mon, Sep 12, 2022 at 5:54 PM 昭翰 任 <zhaohan.ren(a)hotmail.com> wrote:
> Thanks Tomáš & Gregory for your response
>
> You are right, sssd has some GPO related
> settings(e.g. ad_gpo_access_control/ad_gpo_implicit_deny/ad_gpo_cache_timeout/...),
> however there are for access control, not what I want. What I want is a
> customized GPO settings that AD could refresh/push to all the client side,
> for example:
>
> I have an AD(winserver2012) and some clients(Win10, Ubuntu22.04), there
> is an ADMX policy which defines the max DPI that could be used when
> printing a document, this ADMX policy has been deployed correctly on the
> AD, what I expect is when I change the max DPI value on the AD, both Win10
> and Ubuntu(maybe stored at somewhere on the disk?) could get the latest max
> DPI I setup on AD.
>
> However I found Win10 could get the latest DPI value, but the Linux
> system doesn't get any update.
>
> Does sssd support the scenario I described above?
>
> BRs
>
>
> ------------------------------
> *From:* Gregory Carter <gjcarter2(a)gmail.com>
> *Sent:* Monday, September 12, 2022 16:44
> *To:* End-user discussions about the System Security Services Daemon <
> sssd-users(a)lists.fedorahosted.org>
> *Subject:* [SSSD-users] Re: AD refresh GPO to Ubuntu22.04
>
> Excellent, so please share with the list what windows settings I can use
> GPO on from my Linux box.
>
> On Mon, Sep 12, 2022 at 2:44 AM Tomas Halman <thalman(a)redhat.com> wrote:
>
> There actually is GPO support in SSSD.
>
> Looking at the man page (sssd-ad), you have to use "ad" provider and tune
> few options regarding gpo, particularly ad_gpo_access_control and
> ad_gpo_implicit_deny.
>
> If it is not working for you, can you share the sssd.conf? Eventually you
> can increase the SSSD debug_level and look into logs if there is something
> wrong with GPO evaluation.
>
> HTH
> Tomáš
>
> On Sat, Sep 10, 2022 at 2:53 AM Gregory Carter <gjcarter2(a)gmail.com>
> wrote:
>
> There is no such thing as a GPO for a LINUX box.
>
> That being said I use Puppet to do basically the same thing. (i.e. Bring
> LINUX, MAC, Windows to bear on a common LDAP policy schema I created to
> enforce machine configurations, authentication and security policies.)
>
> On Fri, Sep 9, 2022 at 12:56 AM 任 昭翰 <zhaohan.ren(a)hotmail.com> wrote:
>
> Hi guys
>
> I have a Ubuntu22.04 client which joined to an AD(winserver 2012) server
> by sssd + realm, in the AD I have a customized GPO, is it possible that the
> AD refresh/push the GPO to the Ubuntu machine? I also have a win10 client
> that also joined this AD, the win10 client could receive the GPO update
> successfully from the AD.
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
>
>
> --
> Tomáš Halman
>
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
--
Tomáš Halman
9:56 p.m.
New subject: 回复: Re: AD refresh GPO to Ubuntu22.04
Thanks guys for your clarification, I will find other method.
________________________________
From: Tomas Halman <thalman(a)redhat.com>
Sent: Tuesday, September 13, 2022 9:19
To: End-user discussions about the System Security Services Daemon
<sssd-users(a)lists.fedorahosted.org>
Subject: [SSSD-users]Re: 回复: Re: AD refresh GPO to Ubuntu22.04
In that case Gregory is right, SSSD cares about the access control.
I thought that you were looking for this kind of functionality. Sorry for
misunderstanding...
Tom
On Tue, Sep 13, 2022 at 6:11 AM Gregory Carter
<gjcarter2@gmail.com<mailto:gjcarter2@gmail.com>> wrote:
I wanted to point out exactly what sssd support is provided with regards to Active
Directory. Windows workstation/server management is not one of them and I think it is
important people understand that.
Most of the questions I get are around Windows configuration questions and due to that
confusion people think sssd magically translates windows setting into compatible Linux
equivalents.
That is not the case.
On Mon, Sep 12, 2022 at 5:54 PM 昭翰 任
<zhaohan.ren@hotmail.com<mailto:zhaohan.ren@hotmail.com>> wrote:
Thanks Tomáš & Gregory for your response
You are right, sssd has some GPO related settings(e.g.
ad_gpo_access_control/ad_gpo_implicit_deny/ad_gpo_cache_timeout/...), however there are
for access control, not what I want. What I want is a customized GPO settings that AD
could refresh/push to all the client side, for example:
I have an AD(winserver2012) and some clients(Win10, Ubuntu22.04), there is an ADMX policy
which defines the max DPI that could be used when printing a document, this ADMX policy
has been deployed correctly on the AD, what I expect is when I change the max DPI value on
the AD, both Win10 and Ubuntu(maybe stored at somewhere on the disk?) could get the latest
max DPI I setup on AD.
However I found Win10 could get the latest DPI value, but the Linux system doesn't get
any update.
Does sssd support the scenario I described above?
BRs
________________________________
From: Gregory Carter <gjcarter2@gmail.com<mailto:gjcarter2@gmail.com>>
Sent: Monday, September 12, 2022 16:44
To: End-user discussions about the System Security Services Daemon
<sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedorahosted.org>>
Subject: [SSSD-users] Re: AD refresh GPO to Ubuntu22.04
Excellent, so please share with the list what windows settings I can use GPO on from my
Linux box.
On Mon, Sep 12, 2022 at 2:44 AM Tomas Halman
<thalman@redhat.com<mailto:thalman@redhat.com>> wrote:
There actually is GPO support in SSSD.
Looking at the man page (sssd-ad), you have to use "ad" provider and tune few
options regarding gpo, particularly ad_gpo_access_control and ad_gpo_implicit_deny.
If it is not working for you, can you share the sssd.conf? Eventually you can increase the
SSSD debug_level and look into logs if there is something wrong with GPO evaluation.
HTH
Tomáš
On Sat, Sep 10, 2022 at 2:53 AM Gregory Carter
<gjcarter2@gmail.com<mailto:gjcarter2@gmail.com>> wrote:
There is no such thing as a GPO for a LINUX box.
That being said I use Puppet to do basically the same thing. (i.e. Bring LINUX, MAC,
Windows to bear on a common LDAP policy schema I created to enforce machine
configurations, authentication and security policies.)
On Fri, Sep 9, 2022 at 12:56 AM 任 昭翰
<zhaohan.ren@hotmail.com<mailto:zhaohan.ren@hotmail.com>> wrote:
Hi guys
I have a Ubuntu22.04 client which joined to an AD(winserver 2012) server by sssd + realm,
in the AD I have a customized GPO, is it possible that the AD refresh/push the GPO to the
Ubuntu machine? I also have a win10 client that also joined this AD, the win10 client
could receive the GPO update successfully from the AD.
_______________________________________________
sssd-users mailing list --
sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedorahosted.org>
To unsubscribe send an email to
sssd-users-leave@lists.fedorahosted.org<mailto:sssd-users-leave@lists.fedorahosted.org>
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
_______________________________________________
sssd-users mailing list --
sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedorahosted.org>
To unsubscribe send an email to
sssd-users-leave@lists.fedorahosted.org<mailto:sssd-users-leave@lists.fedorahosted.org>
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
--
Tomáš Halman
_______________________________________________
sssd-users mailing list --
sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedorahosted.org>
To unsubscribe send an email to
sssd-users-leave@lists.fedorahosted.org<mailto:sssd-users-leave@lists.fedorahosted.org>
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
_______________________________________________
sssd-users mailing list --
sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedorahosted.org>
To unsubscribe send an email to
sssd-users-leave@lists.fedorahosted.org<mailto:sssd-users-leave@lists.fedorahosted.org>
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
_______________________________________________
sssd-users mailing list --
sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedorahosted.org>
To unsubscribe send an email to
sssd-users-leave@lists.fedorahosted.org<mailto:sssd-users-leave@lists.fedorahosted.org>
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
--
Tomáš Halman
589
days inactive
590
days old
sssd-users@lists.fedorahosted.org
2 comments
3 participants
participants (3)
-
Gregory Carter -
Tomas Halman -
昭翰 任