I'm working on an AD where they've completely separate normal AD users and POSIX users. - AD: All employees have a user. - POSIX: Certain employees get a separate user which is used for POSIX use cases. *(Usernames are prefixed so they never collide). *Their groups are only POSIX groups.
How can SSSD get both sets of users and their groups?
Could we create a separate [domain/...] for each? Would overrides in [application/...] work?
Currently SSSD is only getting the POSIX users and ldap_id_mapping=false is set. We can't really disable that without massive `chown`s across all the systems.
On Tue, Jan 08, 2019 at 11:29:32AM +0000, Sean Roberts wrote:
I'm working on an AD where they've completely separate normal AD users and POSIX users.
- AD: All employees have a user.
- POSIX: Certain employees get a separate user which is used for POSIX use
cases. *(Usernames are prefixed so they never collide). *Their groups are only POSIX groups.
How can SSSD get both sets of users and their groups?
Could we create a separate [domain/...] for each? Would overrides in [application/...] work?
Currently SSSD is only getting the POSIX users and ldap_id_mapping=false is set. We can't really disable that without massive `chown`s across all the systems.
Hi,
I think have two [domain/...] sections for each set of users would be best. But it would be good to see your current sssd.conf (sanitized if needed) to better understand how the group memberships are defined for the POSIX users because there are multiple ways how this can be done with AD.
bye, Sumit
-- Sean Roberts
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
Thanks.
Below is sssd.conf for the POSIX users.
Would making another domain group named [domain/INT.DOMAIN.COM] conflict? Can we name it to identity what is different between them?
``` [sssd] debug_level = 3 domains = int.domain.com config_file_version = 2 reconnection_retries = 3 services = nss, pam
[nss] reconnection_retries = 3 debug_level = 3 filter_groups = root filter_users = root
[pam] debug_level = 3 reconnection_retries = 3
[domain/int.domain.com] debug_level = 3 id_provider = ldap auth_provider = ldap chpass_provider = ldap access_provider = simple simple_allow_groups = unix-admin, unix-backup, unix-sudo ldap_group_nesting_level = 0 cache_credentials = true min_id = 10000 max_id = 20000 enumerate = false ldap_referrals = false ldap_uri = ldaps://ldapad.int.domain.com/ ldap_id_mapping = False ldap_schema = rfc2307 ldap_group_member = memberuid ldap_search_base = dc=int,dc=domain,dc=com ldap_user_object_class = user ldap_group_object_class = group ldap_user_home_directory = unixHomeDirectory ldap_tls_reqcert = hard ldap_default_bind_dn = ... ```
On Tue, Jan 08, 2019 at 12:38:09PM +0000, Sean Roberts wrote:
Thanks.
Below is sssd.conf for the POSIX users.
Would making another domain group named [domain/INT.DOMAIN.COM] conflict? Can we name it to identity what is different between them?
[sssd] debug_level = 3 domains = int.domain.com config_file_version = 2 reconnection_retries = 3 services = nss, pam [nss] reconnection_retries = 3 debug_level = 3 filter_groups = root filter_users = root [pam] debug_level = 3 reconnection_retries = 3 [domain/int.domain.com] debug_level = 3 id_provider = ldap auth_provider = ldap chpass_provider = ldap access_provider = simple simple_allow_groups = unix-admin, unix-backup, unix-sudo ldap_group_nesting_level = 0 cache_credentials = true min_id = 10000 max_id = 20000 enumerate = false ldap_referrals = false ldap_uri = ldaps://ldapad.int.domain.com/ ldap_id_mapping = False ldap_schema = rfc2307 ldap_group_member = memberuid ldap_search_base = dc=int,dc=domain,dc=com ldap_user_object_class = user ldap_group_object_class = group ldap_user_home_directory = unixHomeDirectory ldap_tls_reqcert = hard ldap_default_bind_dn = ...
Thanks. So you are completely using the rfc2307 schema features of AD including the group memberships.
In this case you can add a second domain ideally with id_provider=ad to get the AD view of the users. The AD provider expects that the default keytab /etc/krb5.keytab contains Kerberos credentials for the host to access the LDAP service of the AD DCs. So it would be best to join the domain e.g. with 'adcli'.
I really would recommend to use a completely different domain name, e.g. the NetBIOS domain name of the AD domain. Although the domain names from sssd.conf are trated case-sensitive the default behavior of the AD provider is to treat all names case-insensitive to be in agreement with the behavior of AD.
HTH
bye, Sumit
-- Sean Roberts
On Tue, Jan 8, 2019 at 12:20 PM Sumit Bose sbose@redhat.com wrote:
On Tue, Jan 08, 2019 at 11:29:32AM +0000, Sean Roberts wrote:
I'm working on an AD where they've completely separate normal AD users
and
POSIX users.
- AD: All employees have a user.
- POSIX: Certain employees get a separate user which is used for POSIX
use
cases. *(Usernames are prefixed so they never collide). *Their groups are only POSIX groups.
How can SSSD get both sets of users and their groups?
Could we create a separate [domain/...] for each? Would overrides in [application/...] work?
Currently SSSD is only getting the POSIX users and ldap_id_mapping=false
is
set. We can't really disable that without massive `chown`s across all the systems.
Hi,
I think have two [domain/...] sections for each set of users would be best. But it would be good to see your current sssd.conf (sanitized if needed) to better understand how the group memberships are defined for the POSIX users because there are multiple ways how this can be done with AD.
bye, Sumit
-- Sean Roberts
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
On Tue, Jan 8, 2019 at 12:20 PM Sumit Bose sbose@redhat.com wrote:
On Tue, Jan 08, 2019 at 11:29:32AM +0000, Sean Roberts wrote:
I'm working on an AD where they've completely separate normal AD users
and
POSIX users.
- AD: All employees have a user.
- POSIX: Certain employees get a separate user which is used for POSIX
use
cases. *(Usernames are prefixed so they never collide). *Their groups are only POSIX groups.
How can SSSD get both sets of users and their groups?
Could we create a separate [domain/...] for each? Would overrides in [application/...] work?
Currently SSSD is only getting the POSIX users and ldap_id_mapping=false
is
set. We can't really disable that without massive `chown`s across all the systems.
Hi,
I think have two [domain/...] sections for each set of users would be best. But it would be good to see your current sssd.conf (sanitized if needed) to better understand how the group memberships are defined for the POSIX users because there are multiple ways how this can be done with AD.
bye, Sumit
-- Sean Roberts
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users@lists.fedorahosted.org
-
Sean Roberts -
Sumit Bose