On 5/5/22 08:31, Spike White wrote:
Ed,
That sounds like an excellent plan. Every major NAS vendor (I work for
one) supports LDAP authentication. Even against AD domain controllers.
(I'm a Linux engineer, not a storage engineer -- so I don't know the
details of the NAS LDAP auth, only that it's fully supported and used
here internally on the NAS mgmt heads.)
Are you doing NFSv3 or NFSv4? I believe that NFSv4 bases file/dir
access on 'user@domain', not UIDs. NFSv3 uses traditional UIDs/GIDs.
I'm guessing you're doing NFSv3.
NFSv4 can also use traditional UIDs/GIDs for authorization. POSIX
extended ACLs work as well.
> (We do NFSv3 from the NAS shares onto our Linux servers whenever
> possible ourselves. We do NFSv4 only when one of the new NFSv4 features
> is required.)
>
> Spike
>
> On Wed, May 4, 2022 at 5:21 PM <mythmail(a)runbox.com
> <mailto:mythmail@runbox.com>> wrote:
>
> Thanks Spike!
>
> It looks like extending the AD to cater for UIDs and GIDs is the
> most supported and least effort change to allow us to use any NAS.
>
> If we get approval, we'll likely come up with a system to populate
> these values in the AD from an existing SSSD Linux client so that
> they match, then we can transition all other Linux clients over from
> using the SSSD mapping algorithm to using these values from AD.
>
>
> Ed
>
>
> 4 May 2022 12:26:01 am Spike White <spikewhitetx(a)gmail.com
> <mailto:spikewhitetx@gmail.com>>:
>
> > Ed,
> >
> > Got this from our AD team:
> >
> > This MS article contains info regarding RFC 2307 and mentions it
> being included in Window 2003 and later. Hopefully, this helps.
> >
> >
>
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/213f...
>
<
https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.mi...
> >
> > We are currently up to schema version 88 (Windows 2019).
> >
> > Spike
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> <mailto:sssd-users@lists.fedorahosted.org>
> To unsubscribe send an email to
> sssd-users-leave(a)lists.fedorahosted.org
> <mailto:sssd-users-leave@lists.fedorahosted.org>
> Fedora Code of Conduct:
>
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>
<
https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.fe...
> List Guidelines:
>
https://fedoraproject.org/wiki/Mailing_list_guidelines
>
<
https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Ffedorap...
> List Archives:
>
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
>
<
https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.f...
> Do not reply to spam on the list, report it:
>
https://pagure.io/fedora-infrastructure
>
<
https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpagure....
>
>
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
>>> This message is from an external sender. Learn more about why this <<
>>> matters at
https://links.utexas.edu/rtyclf. <<