5:28 a.m.
As a continuation of sssd evaluatin we plan migration from NIS to Active
Directory+Kerberos.
Now again the question - what is the best approach and practice to migrate users ?
AD administrators enabled SFU, and we got extended schema with POSIX attributes.
I guess there might be some free or commercial tools for extracting data from NIS and
loading into AD -ldap objects.
Our Linux users are dispersed in separated NIS domains, and all have AD account beside
the entry in NIS.
Home directories are NFS-mounted with autofs from Linux storage server but some users
access MSWin storage with smbclient.
Can you share experiences on assigning POSTFIX attributes in SSSD context, best practice
etc..?
We would not like activate NIS services on AD server for migration.
Longina
7:32 a.m.
On Wed, Feb 13, 2013 at 11:28:17AM +0000, Longina Przybyszewska wrote:
As a continuation of sssd evaluatin we plan migration from NIS to Active
Directory+Kerberos.
Now again the question - what is the best approach and practice to migrate users ?
AD administrators enabled SFU, and we got extended schema with POSIX attributes.
I guess there might be some free or commercial tools for extracting data from NIS and
loading into AD -ldap objects.
Our Linux users are dispersed in separated NIS domains, and all have AD account beside
the entry in NIS.
Home directories are NFS-mounted with autofs from Linux storage server but some
users access MSWin storage with smbclient.
Can you share experiences on assigning POSTFIX attributes in SSSD context, best practice
etc..?
I assume you meant POSIX
attributes.
We would not like activate NIS services on AD server for migration.
Longina
Hi,
I don't know any tools to migrate users from NIS to AD myself, maybe
others on this list do.
In general starting with SSSD 1.9 you don't need to enable SFU and
populate the POSIX attributes at all, you can just use the SSSD
ID-mapping feature to map AD SIDs to UNIX IDs automatically. I'm not
sure if that's a good idea in your particular case, because most
probably the mapped attributes would be different than those you have
manually created in NIS. Just saying.
7:34 a.m.
For populating the posix attributes you can use the NIS migration tool that comes with
IDMU. You do not have to activate NIS afterwards. Or
write yourself some fancy shell/perl script (like I did) if you want more control of what
is happening.
Ondrej
On 02/13/2013 12:28 PM, Longina Przybyszewska wrote:
As a continuation of sssd evaluatin we plan migration from NIS to Active
Directory+Kerberos.
Now again the question - what is the best approach and practice to migrate users ?
AD administrators enabled SFU, and we got extended schema with POSIX attributes.
I guess there might be some free or commercial tools for extracting data from NIS and
loading into AD -ldap objects.
Our Linux users are dispersed in separated NIS domains, and all have AD account beside
the entry in NIS.
Home directories are NFS-mounted with autofs from Linux storage server but some
users access MSWin storage with smbclient.
Can you share experiences on assigning POSTFIX attributes in SSSD context, best practice
etc..?
We would not like activate NIS services on AD server for migration.
Longina
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
1:40 a.m.
We started on this path several years ago when an IT consolidation happened across all the
divisions which had previously done their own thing in IT. We had multiple NIS domains and
recognised it was getting a bit old as a technology. The main project driver was file
server consolidation, and the NIS part of the project was not funded initially. Because
the NIS domains had historically grown independently we had overlapping user name space as
well as overlaps in uid and gid. The first part of the work consisted of making those 3
spaces unique as it was a pre-requisite for file server consolidation. I don't think
we had overlap in group names, but it was a while ago now.
We decided on an HR identifier as the userid as it was unique and it was already being
used on Windows (which had come along well after Unix) and was already set up as a single
domain across the entire organisation. In the uid and gid space we decided on renumbering
all existing users and groups to a range above all those currently in use, and chose above
2^32.
Userids were renamed first. Unix groups were added into AD as security groups. The
numbering scheme was a formula based on the Windows SID for both group and user. All files
on fileservers were renumbered before fileserver consolidation. We were not really happy
with any of the existing replacements for NIS around 6 years ago so did some NIS
consolidation as required. We did not populate AD with uidNumber or gidNumber at that
time, but did experiment a bit with it on a few users and groups with vanilla ldap. NIS
servers were setup to nightly look up a global passwd and group file which was generated
from Windows AD using the formula based uids and gids. Account changes in AD would then be
reflected as updates in NIS. This was of course batch only. This was made hourly
eventually to handle group membership changes which could happen through the day. HR
processes generally happened only nightly.
A few years later we updated our HR processes to populate and maintain the extra AD
attributes, like uidNumber, gidNumber, shell, unixhomedir, gecos. Just recently we have
added some extra processes to manage the gidNumber, so now have all the pieces in place to
use AD as our single source of information.
sssd will now likely be the final piece that lets us get rid of NIS. It will probably be a
gradual shift as older Linux hosts drop off and new ones replace them. We will be running
both schemes for a while in parallel and since they have the same information it won't
be a problem.
The one thing we have yet to really address is automount maps and I suspect we will have
to turn on NIS in AD to get that part to work properly, or use something like puppet to
manage flat file versions of automount maps.
Hope this helps.
Greg
-----Original Message-----
From: sssd-users-bounces(a)lists.fedorahosted.org [mailto:sssd-users-
bounces(a)lists.fedorahosted.org] On Behalf Of Longina Przybyszewska
Sent: Wednesday, 13 February 2013 9:28 PM
To: End-user discussions about the System Security Services Daemon
(sssd-users(a)lists.fedorahosted.org)
Subject: [SSSD-users] migrating from NIS to AD+kerberos
As a continuation of sssd evaluatin we plan migration from NIS to
Active Directory+Kerberos.
Now again the question - what is the best approach and practice to
migrate users ?
AD administrators enabled SFU, and we got extended schema with POSIX
attributes.
I guess there might be some free or commercial tools for extracting
data from NIS and loading into AD -ldap objects.
Our Linux users are dispersed in separated NIS domains, and all have
AD account beside the entry in NIS.
Home directories are NFS-mounted with autofs from Linux storage
server but some users access MSWin storage with smbclient.
Can you share experiences on assigning POSTFIX attributes in SSSD
context, best practice etc..?
We would not like activate NIS services on AD server for migration.
Longina
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
2:22 a.m.
Few comments:
- Uid/gid renumbering is a pain that should be avoided.
- I prefer using RFC2307 attributes rather than relying on some fancy RID mapping. I like
to have things under my control.
- sssd can serve automount maps for automounter - it is not mature yet, but will be
(hopefully). Mean time, automounter can talk to AD on
its own, so it is not a big deal to get rid of NIS right now.
Ondrej
On 02/14/2013 08:40 AM, Greg.Lehmann(a)csiro.au wrote:
We started on this path several years ago when an IT consolidation
happened across all the divisions which had previously done their own thing in IT. We had
multiple NIS domains and recognised it was getting a bit old as a technology. The main
project driver was file server consolidation, and the NIS part of the project was not
funded initially. Because the NIS domains had historically grown independently we had
overlapping user name space as well as overlaps in uid and gid. The first part of the work
consisted of making those 3 spaces unique as it was a pre-requisite for file server
consolidation. I don't think we had overlap in group names, but it was a while ago
now.
We decided on an HR identifier as the userid as it was unique and it was already being
used on Windows (which had come along well after Unix) and was already set up as a single
domain across the entire organisation. In the uid and gid space we decided on renumbering
all existing users and groups to a range above all those currently in use, and chose above
2^32.
Userids were renamed first. Unix groups were added into AD as security groups. The
numbering scheme was a formula based on the Windows SID for both group and user. All files
on fileservers were renumbered before fileserver consolidation. We were not really happy
with any of the existing replacements for NIS around 6 years ago so did some NIS
consolidation as required. We did not populate AD with uidNumber or gidNumber at that
time, but did experiment a bit with it on a few users and groups with vanilla ldap. NIS
servers were setup to nightly look up a global passwd and group file which was generated
from Windows AD using the formula based uids and gids. Account changes in AD would then be
reflected as updates in NIS. This was of course batch only. This was made hourly
eventually to handle group membership changes which could happen through the day. HR
processes generally happened only nightly.
A few years later we updated our HR processes to populate and maintain the extra AD
attributes, like uidNumber, gidNumber, shell, unixhomedir, gecos. Just recently we have
added some extra processes to manage the gidNumber, so now have all the pieces in place to
use AD as our single source of information.
sssd will now likely be the final piece that lets us get rid of NIS. It will probably be
a gradual shift as older Linux hosts drop off and new ones replace them. We will be
running both schemes for a while in parallel and since they have the same information it
won't be a problem.
The one thing we have yet to really address is automount maps and I suspect we will have
to turn on NIS in AD to get that part to work properly, or use something like puppet to
manage flat file versions of automount maps.
Hope this helps.
Greg
> -----Original Message-----
> From: sssd-users-bounces(a)lists.fedorahosted.org [mailto:sssd-users-
> bounces(a)lists.fedorahosted.org] On Behalf Of Longina Przybyszewska
> Sent: Wednesday, 13 February 2013 9:28 PM
> To: End-user discussions about the System Security Services Daemon
> (sssd-users(a)lists.fedorahosted.org)
> Subject: [SSSD-users] migrating from NIS to AD+kerberos
>
>
>
> As a continuation of sssd evaluatin we plan migration from NIS to
> Active Directory+Kerberos.
>
> Now again the question - what is the best approach and practice to
> migrate users ?
>
> AD administrators enabled SFU, and we got extended schema with POSIX
> attributes.
> I guess there might be some free or commercial tools for extracting
> data from NIS and loading into AD -ldap objects.
>
> Our Linux users are dispersed in separated NIS domains, and all have
> AD account beside the entry in NIS.
> Home directories are NFS-mounted with autofs from Linux storage
> server but some users access MSWin storage with smbclient.
>
> Can you share experiences on assigning POSTFIX attributes in SSSD
> context, best practice etc..?
> We would not like activate NIS services on AD server for migration.
>
> Longina
>
>
> _______________________________________________
> sssd-users mailing list
> sssd-users(a)lists.fedorahosted.org
> https://lists.fedorahosted.org/mailman/listinfo/sssd-users
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
5:24 a.m.
UID/GID allocating – is my missing link.
We need to renumber at least UIDs as they overlap across NIS domains.
As all users have in advance AD account it seems obvious to me to generate posix uid based
on AD IDs.
…Or just assign Linux UIDs numbers during migrating.
What about making new accounts in the future – how the uid would be generated for Linux
Users?
Do we need a special group say ‘linuxusers’ then make a new template for new account in
the group?
Can AD make for us also continuously unique POSIX UIDs when creating the new account?
I don’t know YET much about MSWin identification process – sorry for very basic questions
;).
I understand that the approach with RID (real ID ??) mapping achieves consistent name
mapping across all types file servers –
am I right?
But maybe in sssd context it doesn’t make sense – as Ondrej points out.
Ondrej, if you say “sssd can serve automount maps for automounter” – that means sssd can
read ldap automounter map, and do
it automatically if we define autofs service in [nss] but first automounter has to know
about sssd and link to sssd libraries?
Alternative, now we have to convert NIS auto.home maps to ldap format, and load them to
AD (???), then reconfigure automounter to
ask AD for entry instead of NIS.
By the way how do I find what class/attributes I want in AD-ldap for autofs?
Longina
From: sssd-users-bounces(a)lists.fedorahosted.org
[mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Ondrej Valousek
Sent: 14. februar 2013 09:22
To: End-user discussions about the System Security Services Daemon
Subject: Re: [SSSD-users] migrating from NIS to AD+kerberos
Few comments:
- Uid/gid renumbering is a pain that should be avoided.
- I prefer using RFC2307 attributes rather than relying on some fancy RID mapping. I like
to have things under my control.
- sssd can serve automount maps for automounter - it is not mature yet, but will be
(hopefully). Mean time, automounter can talk to AD on its own, so it is not a big deal to
get rid of NIS right now.
Ondrej
On 02/14/2013 08:40 AM, Greg.Lehmann@csiro.au<mailto:Greg.Lehmann@csiro.au> wrote:
We started on this path several years ago when an IT consolidation happened across all the
divisions which had previously done their own thing in IT. We had multiple NIS domains and
recognised it was getting a bit old as a technology. The main project driver was file
server consolidation, and the NIS part of the project was not funded initially. Because
the NIS domains had historically grown independently we had overlapping user name space as
well as overlaps in uid and gid. The first part of the work consisted of making those 3
spaces unique as it was a pre-requisite for file server consolidation. I don't think
we had overlap in group names, but it was a while ago now.
We decided on an HR identifier as the userid as it was unique and it was already being
used on Windows (which had come along well after Unix) and was already set up as a single
domain across the entire organisation. In the uid and gid space we decided on renumbering
all existing users and groups to a range above all those currently in use, and chose above
2^32.
Userids were renamed first. Unix groups were added into AD as security groups. The
numbering scheme was a formula based on the Windows SID for both group and user. All files
on fileservers were renumbered before fileserver consolidation. We were not really happy
with any of the existing replacements for NIS around 6 years ago so did some NIS
consolidation as required. We did not populate AD with uidNumber or gidNumber at that
time, but did experiment a bit with it on a few users and groups with vanilla ldap. NIS
servers were setup to nightly look up a global passwd and group file which was generated
from Windows AD using the formula based uids and gids. Account changes in AD would then be
reflected as updates in NIS. This was of course batch only. This was made hourly
eventually to handle group membership changes which could happen through the day. HR
processes generally happened only nightly.
A few years later we updated our HR processes to populate and maintain the extra AD
attributes, like uidNumber, gidNumber, shell, unixhomedir, gecos. Just recently we have
added some extra processes to manage the gidNumber, so now have all the pieces in place to
use AD as our single source of information.
sssd will now likely be the final piece that lets us get rid of NIS. It will probably be a
gradual shift as older Linux hosts drop off and new ones replace them. We will be running
both schemes for a while in parallel and since they have the same information it won't
be a problem.
The one thing we have yet to really address is automount maps and I suspect we will have
to turn on NIS in AD to get that part to work properly, or use something like puppet to
manage flat file versions of automount maps.
Hope this helps.
Greg
-----Original Message-----
From:
sssd-users-bounces@lists.fedorahosted.org<mailto:sssd-users-bounces@lists.fedorahosted.org>
[mailto:sssd-users-
bounces@lists.fedorahosted.org<mailto:bounces@lists.fedorahosted.org>] On Behalf Of
Longina Przybyszewska
Sent: Wednesday, 13 February 2013 9:28 PM
To: End-user discussions about the System Security Services Daemon
(sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedorahosted.org>)
Subject: [SSSD-users] migrating from NIS to AD+kerberos
As a continuation of sssd evaluatin we plan migration from NIS to
Active Directory+Kerberos.
Now again the question - what is the best approach and practice to
migrate users ?
AD administrators enabled SFU, and we got extended schema with POSIX
attributes.
I guess there might be some free or commercial tools for extracting
data from NIS and loading into AD -ldap objects.
Our Linux users are dispersed in separated NIS domains, and all have
AD account beside the entry in NIS.
Home directories are NFS-mounted with autofs from Linux storage
server but some users access MSWin storage with smbclient.
Can you share experiences on assigning POSTFIX attributes in SSSD
context, best practice etc..?
We would not like activate NIS services on AD server for migration.
Longina
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedorahosted.org>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedorahosted.org>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
6:02 a.m.
On Thu, Feb 14, 2013 at 11:24:23AM +0000, Longina Przybyszewska wrote:
UID/GID allocating – is my missing link.
We need to renumber at least UIDs as they overlap across NIS domains.
As all users have in advance AD account it seems obvious to me to generate posix uid
based on AD IDs.
If you're renumbering the UIDs (and by extension changing the file
permissions) anyway, you might as well go with the ID mapping feature
completely.
…Or just assign Linux UIDs numbers during migrating.
What about making new accounts in the future – how the uid would be generated for Linux
Users?
Do we need a special group say ‘linuxusers’ then make a new template for new account in
the group?
Can AD make for us also continuously unique POSIX UIDs when creating the new account?
I don’t know YET much about MSWin identification process – sorry for very basic questions
;).
I understand that the approach with RID (real ID ??) mapping achieves consistent name
mapping across all types file servers –
am I right?
I'm not sure what you mean by "across all types of file servers" but
the mapping should be consistent, yes.
But maybe in sssd context it doesn’t make sense – as Ondrej points
out.
Ondrej, if you say “sssd can serve automount maps for automounter” – that means sssd can
read ldap automounter map, and do
it automatically if we define autofs service in [nss] but first automounter has to know
about sssd and link to sssd libraries?
See http://jhrozek.livejournal.com/2500.html for example.
Alternative, now we have to convert NIS auto.home maps to ldap
format, and load them to AD (???), then reconfigure automounter to
ask AD for entry instead of NIS.
By the way how do I find what class/attributes I want in AD-ldap for autofs?
Longina
6:21 a.m.
On 02/14/2013 01:02 PM, Jakub Hrozek wrote:
> Ondrej, if you say “sssd can serve automount maps for
automounter” – that means sssd can read ldap automounter map, and do
> > it automatically if we define autofs service in [nss] but first automounter
has to know about sssd and link to sssd libraries?
> >
Seehttp://jhrozek.livejournal.com/2500.html for example.
Good document, thanks Jakub!
Unfortunately, Jakub assumes LDAP server w/ RFC2307bis schema loaded - which is not the AD
case. In AD you have 2 options:
1. Extend the AD schema to contain the necessary RFC2307bis attributes
2. store automount maps using RFC2307 attributes, and do some mapping on the sssd side.
Maybe Jakub will add this AD specific stuff in the document at some stage, too.
Ondrej
9:28 a.m.
On Feb 14, 2013 4:22 AM, "Ondrej Valousek" <ondrejv(a)s3group.cz> wrote:
>
Good document, thanks Jakub!
Unfortunately, Jakub assumes LDAP server w/ RFC2307bis schema loaded -
which is not
the AD case. In AD you have 2 options:
1. Extend the AD schema to contain the necessary RFC2307bis
attributes
2. store automount maps using RFC2307 attributes, and do some mapping on
the sssd
side.
Maybe Jakub will add this AD specific stuff in the document at some
stage, too.
Ondrej
That depends on the version of Windows used on your DC's. RFC2307bis
attributes have been in every version since 2003R2.
2:03 a.m.
Nope. Microsoft did not include all of them. For example, the automount* attributes (as
per RFC2307bis) are not included in any version of
AD schema I am aware of....
Ondrej
On 02/14/2013 04:28 PM, Aaron Grewell wrote:
That depends on the version of Windows used on your DC's.
RFC2307bis attributes have been in every version since 2003R2.
9:01 a.m.
> I understand that the approach with RID (real ID ??) mapping
achieves
>consistent name mapping across all types file servers – am I right?
I'm not sure what you mean by "across all types of file
servers" but the mapping should be consistent, yes.
We have diverse file servers Oracle Sun 7000(zfs), Ubuntu server( in test NFS4+sssd ),
SAN ;
For example Zfs mapping algorithm (using window-sid) is not the same as client's
with sssd-ad so,
we do not get the same user on both ends.
If we would like to have common storage for all possible clients(linux, mac, win), to give
user access to the same files
simultaneously - we need to have common and unique mapping between windows sid and unix
uid/gid.
In my understanding we can achieve it only if Posix uid/gid are built from windows sid.
Only then from window client and linux client we get the same uid on the file server.
Maybe I am wrong - please, enlighten me.
Longina
>But maybe in sssd context it doesn’t make sense – as Ondrej
points out.
>
>Ondrej, if you say “sssd can serve automount maps for automounter” –
>that means sssd can read ldap automounter map, and do it automatically if we define
autofs service in [nss] but first automounter has to know about sssd and link to sssd
libraries?
>
See http://jhrozek.livejournal.com/2500.html for example.
Alternative, now we have to convert NIS auto.home maps to ldap
format, and load them to AD (???), then reconfigure automounter to ask AD for entry
instead of NIS.
By the way how do I find what class/attributes I want in AD-ldap for autofs?
Longina
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
11:04 a.m.
I was not aware zfs could do a uid mapping. If you understand what it is doing then
perhaps you can configure sssd to use the same scheme. I have not used that feature either
since we decided on our mapping over 6 years ago. I think it makes sense to use AD to
store all the password file fields in AD. Not everybody has the luxury of cooperative AD
administrators, so understand others having to work around it. SAN is not a fileserver by
itself.
-----Original Message-----
From: sssd-users-bounces(a)lists.fedorahosted.org [mailto:sssd-users-
bounces(a)lists.fedorahosted.org] On Behalf Of Longina Przybyszewska
Sent: Friday, 15 February 2013 1:02 AM
To: 'End-user discussions about the System Security Services Daemon'
Subject: Re: [SSSD-users] migrating from NIS to AD+kerberos
>> I understand that the approach with RID (real ID ??) mapping
achieves
> >consistent name mapping across all types file servers – am I right?
>I'm not sure what you mean by "across all types of file servers" but
the mapping should be consistent, yes.
We have diverse file servers Oracle Sun 7000(zfs), Ubuntu server( in
test NFS4+sssd ), SAN ;
For example Zfs mapping algorithm (using window-sid) is not the same
as client's with sssd-ad so,
we do not get the same user on both ends.
If we would like to have common storage for all possible clients(linux,
mac, win), to give user access to the same files
simultaneously - we need to have common and unique mapping between
windows sid and unix uid/gid.
In my understanding we can achieve it only if Posix uid/gid are built
from windows sid.
Only then from window client and linux client we get the same uid on
the file server.
Maybe I am wrong - please, enlighten me.
Longina
> >But maybe in sssd context it doesn’t make sense – as Ondrej points
out.
> >
> >Ondrej, if you say “sssd can serve automount maps for automounter” –
> >that means sssd can read ldap automounter map, and do it
automatically if we define autofs service in [nss] but first
automounter has to know about sssd and link to sssd libraries?
>>
See http://jhrozek.livejournal.com/2500.html for example.
> Alternative, now we have to convert NIS auto.home maps to ldap
> format, and load them to AD (???), then reconfigure automounter to
ask AD for entry instead of NIS.
> By the way how do I find what class/attributes I want in AD-ldap for
autofs?
>
> Longina
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
_______________________________________________
sssd-users mailing list
sssd-users(a)lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
11:22 a.m.
New accounts are generated only in AD so will get a UID based on SID. If you create local
accounts on Unix then you need to ensure no overlap with AD global accounts. Since we
started our AD based account UIDs above 2^32 we have plenty of space below that for local
account UIDs. Same for GIDs.
I am not a windows person and this is from memory. Someone correct me if I am wrong.
Windows SID has a domain part + a RID. Our scheme was only for a single AD domain so was
based on RID (32 bits?) If you need more than 1 AD domain, you should use SID otherwise
you may not have unique UIDs.
I like the idea of storing a unique UID in the AD attribute for a user. Using sssd to do
it means you have to define the same mapping on each sssd implementation. This means you
have more chance of getting it wrong with a typo or editing stuff up and that means you
could have users creating files with the wrong UID that then need to be cleaned up. The
other problem is users having an incorrect UID reading files they should not have access
to.
Can’t help with automount yet, sorry.
Greg
From: sssd-users-bounces(a)lists.fedorahosted.org
[mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Longina Przybyszewska
Sent: Thursday, 14 February 2013 9:24 PM
To: 'End-user discussions about the System Security Services Daemon'
Subject: Re: [SSSD-users] migrating from NIS to AD+kerberos
UID/GID allocating – is my missing link.
We need to renumber at least UIDs as they overlap across NIS domains.
As all users have in advance AD account it seems obvious to me to generate posix uid based
on AD IDs.
…Or just assign Linux UIDs numbers during migrating.
What about making new accounts in the future – how the uid would be generated for Linux
Users?
Do we need a special group say ‘linuxusers’ then make a new template for new account in
the group?
Can AD make for us also continuously unique POSIX UIDs when creating the new account?
I don’t know YET much about MSWin identification process – sorry for very basic questions
;).
I understand that the approach with RID (real ID ??) mapping achieves consistent name
mapping across all types file servers –
am I right?
But maybe in sssd context it doesn’t make sense – as Ondrej points out.
Ondrej, if you say “sssd can serve automount maps for automounter” – that means sssd can
read ldap automounter map, and do
it automatically if we define autofs service in [nss] but first automounter has to know
about sssd and link to sssd libraries?
Alternative, now we have to convert NIS auto.home maps to ldap format, and load them to
AD (???), then reconfigure automounter to
ask AD for entry instead of NIS.
By the way how do I find what class/attributes I want in AD-ldap for autofs?
Longina
From:
sssd-users-bounces@lists.fedorahosted.org<mailto:sssd-users-bounces@lists.fedorahosted.org>
[mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Ondrej Valousek
Sent: 14. februar 2013 09:22
To: End-user discussions about the System Security Services Daemon
Subject: Re: [SSSD-users] migrating from NIS to AD+kerberos
Few comments:
- Uid/gid renumbering is a pain that should be avoided.
- I prefer using RFC2307 attributes rather than relying on some fancy RID mapping. I like
to have things under my control.
- sssd can serve automount maps for automounter - it is not mature yet, but will be
(hopefully). Mean time, automounter can talk to AD on its own, so it is not a big deal to
get rid of NIS right now.
Ondrej
On 02/14/2013 08:40 AM, Greg.Lehmann@csiro.au<mailto:Greg.Lehmann@csiro.au> wrote:
We started on this path several years ago when an IT consolidation happened across all the
divisions which had previously done their own thing in IT. We had multiple NIS domains and
recognised it was getting a bit old as a technology. The main project driver was file
server consolidation, and the NIS part of the project was not funded initially. Because
the NIS domains had historically grown independently we had overlapping user name space as
well as overlaps in uid and gid. The first part of the work consisted of making those 3
spaces unique as it was a pre-requisite for file server consolidation. I don't think
we had overlap in group names, but it was a while ago now.
We decided on an HR identifier as the userid as it was unique and it was already being
used on Windows (which had come along well after Unix) and was already set up as a single
domain across the entire organisation. In the uid and gid space we decided on renumbering
all existing users and groups to a range above all those currently in use, and chose above
2^32.
Userids were renamed first. Unix groups were added into AD as security groups. The
numbering scheme was a formula based on the Windows SID for both group and user. All files
on fileservers were renumbered before fileserver consolidation. We were not really happy
with any of the existing replacements for NIS around 6 years ago so did some NIS
consolidation as required. We did not populate AD with uidNumber or gidNumber at that
time, but did experiment a bit with it on a few users and groups with vanilla ldap. NIS
servers were setup to nightly look up a global passwd and group file which was generated
from Windows AD using the formula based uids and gids. Account changes in AD would then be
reflected as updates in NIS. This was of course batch only. This was made hourly
eventually to handle group membership changes which could happen through the day. HR
processes generally happened only nightly.
A few years later we updated our HR processes to populate and maintain the extra AD
attributes, like uidNumber, gidNumber, shell, unixhomedir, gecos. Just recently we have
added some extra processes to manage the gidNumber, so now have all the pieces in place to
use AD as our single source of information.
sssd will now likely be the final piece that lets us get rid of NIS. It will probably be a
gradual shift as older Linux hosts drop off and new ones replace them. We will be running
both schemes for a while in parallel and since they have the same information it won't
be a problem.
The one thing we have yet to really address is automount maps and I suspect we will have
to turn on NIS in AD to get that part to work properly, or use something like puppet to
manage flat file versions of automount maps.
Hope this helps.
Greg
-----Original Message-----
From:
sssd-users-bounces@lists.fedorahosted.org<mailto:sssd-users-bounces@lists.fedorahosted.org>
[mailto:sssd-users-
bounces@lists.fedorahosted.org<mailto:bounces@lists.fedorahosted.org>] On Behalf Of
Longina Przybyszewska
Sent: Wednesday, 13 February 2013 9:28 PM
To: End-user discussions about the System Security Services Daemon
(sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedorahosted.org>)
Subject: [SSSD-users] migrating from NIS to AD+kerberos
As a continuation of sssd evaluatin we plan migration from NIS to
Active Directory+Kerberos.
Now again the question - what is the best approach and practice to
migrate users ?
AD administrators enabled SFU, and we got extended schema with POSIX
attributes.
I guess there might be some free or commercial tools for extracting
data from NIS and loading into AD -ldap objects.
Our Linux users are dispersed in separated NIS domains, and all have
AD account beside the entry in NIS.
Home directories are NFS-mounted with autofs from Linux storage
server but some users access MSWin storage with smbclient.
Can you share experiences on assigning POSTFIX attributes in SSSD
context, best practice etc..?
We would not like activate NIS services on AD server for migration.
Longina
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedorahosted.org>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedorahosted.org>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
2:12 a.m.
That's the beauty of following standards. RFC2307 standard tells you how to do the
mapping. SSSD honors RFCs (as well as any other appliance
I am aware of) so you do not have to do any fancy mapping on your own at all - it just
works consistently everywhere.
Ondrej
On 02/14/2013 06:22 PM, Greg.Lehmann(a)csiro.au wrote:
I like the idea of storing a unique UID in the AD attribute for a user. Using sssd to do
it means you have to define the same mapping on
each sssd implementation. This means you have more chance of getting it wrong with a typo
or editing stuff up and that means you could
have users creating files with the wrong UID that then need to be cleaned up. The other
problem is users having an incorrect UID reading
files they should not have access to.
7:07 a.m.
Thanks for all the comments- all of them are very helpful...
Longina
From: sssd-users-bounces(a)lists.fedorahosted.org
[mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Greg.Lehmann(a)csiro.au
Sent: 14. februar 2013 18:23
To: sssd-users(a)lists.fedorahosted.org
Subject: Re: [SSSD-users] migrating from NIS to AD+kerberos
New accounts are generated only in AD so will get a UID based on SID. If you create local
accounts on Unix then you need to ensure no overlap with AD global accounts. Since we
started our AD based account UIDs above 2^32 we have plenty of space below that for local
account UIDs. Same for GIDs.
I am not a windows person and this is from memory. Someone correct me if I am wrong.
Windows SID has a domain part + a RID. Our scheme was only for a single AD domain so was
based on RID (32 bits?) If you need more than 1 AD domain, you should use SID otherwise
you may not have unique UIDs.
I like the idea of storing a unique UID in the AD attribute for a user. Using sssd to do
it means you have to define the same mapping on each sssd implementation. This means you
have more chance of getting it wrong with a typo or editing stuff up and that means you
could have users creating files with the wrong UID that then need to be cleaned up. The
other problem is users having an incorrect UID reading files they should not have access
to.
Can’t help with automount yet, sorry.
Greg
From:
sssd-users-bounces@lists.fedorahosted.org<mailto:sssd-users-bounces@lists.fedorahosted.org>
[mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Longina Przybyszewska
Sent: Thursday, 14 February 2013 9:24 PM
To: 'End-user discussions about the System Security Services Daemon'
Subject: Re: [SSSD-users] migrating from NIS to AD+kerberos
UID/GID allocating – is my missing link.
We need to renumber at least UIDs as they overlap across NIS domains.
As all users have in advance AD account it seems obvious to me to generate posix uid based
on AD IDs.
…Or just assign Linux UIDs numbers during migrating.
What about making new accounts in the future – how the uid would be generated for Linux
Users?
Do we need a special group say ‘linuxusers’ then make a new template for new account in
the group?
Can AD make for us also continuously unique POSIX UIDs when creating the new account?
I don’t know YET much about MSWin identification process – sorry for very basic questions
;).
I understand that the approach with RID (real ID ??) mapping achieves consistent name
mapping across all types file servers –
am I right?
But maybe in sssd context it doesn’t make sense – as Ondrej points out.
Ondrej, if you say “sssd can serve automount maps for automounter” – that means sssd can
read ldap automounter map, and do
it automatically if we define autofs service in [nss] but first automounter has to know
about sssd and link to sssd libraries?
Alternative, now we have to convert NIS auto.home maps to ldap format, and load them to
AD (???), then reconfigure automounter to
ask AD for entry instead of NIS.
By the way how do I find what class/attributes I want in AD-ldap for autofs?
Longina
From:
sssd-users-bounces@lists.fedorahosted.org<mailto:sssd-users-bounces@lists.fedorahosted.org>
[mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Ondrej Valousek
Sent: 14. februar 2013 09:22
To: End-user discussions about the System Security Services Daemon
Subject: Re: [SSSD-users] migrating from NIS to AD+kerberos
Few comments:
- Uid/gid renumbering is a pain that should be avoided.
- I prefer using RFC2307 attributes rather than relying on some fancy RID mapping. I like
to have things under my control.
- sssd can serve automount maps for automounter - it is not mature yet, but will be
(hopefully). Mean time, automounter can talk to AD on its own, so it is not a big deal to
get rid of NIS right now.
Ondrej
On 02/14/2013 08:40 AM, Greg.Lehmann@csiro.au<mailto:Greg.Lehmann@csiro.au> wrote:
We started on this path several years ago when an IT consolidation happened across all the
divisions which had previously done their own thing in IT. We had multiple NIS domains and
recognised it was getting a bit old as a technology. The main project driver was file
server consolidation, and the NIS part of the project was not funded initially. Because
the NIS domains had historically grown independently we had overlapping user name space as
well as overlaps in uid and gid. The first part of the work consisted of making those 3
spaces unique as it was a pre-requisite for file server consolidation. I don't think
we had overlap in group names, but it was a while ago now.
We decided on an HR identifier as the userid as it was unique and it was already being
used on Windows (which had come along well after Unix) and was already set up as a single
domain across the entire organisation. In the uid and gid space we decided on renumbering
all existing users and groups to a range above all those currently in use, and chose above
2^32.
Userids were renamed first. Unix groups were added into AD as security groups. The
numbering scheme was a formula based on the Windows SID for both group and user. All files
on fileservers were renumbered before fileserver consolidation. We were not really happy
with any of the existing replacements for NIS around 6 years ago so did some NIS
consolidation as required. We did not populate AD with uidNumber or gidNumber at that
time, but did experiment a bit with it on a few users and groups with vanilla ldap. NIS
servers were setup to nightly look up a global passwd and group file which was generated
from Windows AD using the formula based uids and gids. Account changes in AD would then be
reflected as updates in NIS. This was of course batch only. This was made hourly
eventually to handle group membership changes which could happen through the day. HR
processes generally happened only nightly.
A few years later we updated our HR processes to populate and maintain the extra AD
attributes, like uidNumber, gidNumber, shell, unixhomedir, gecos. Just recently we have
added some extra processes to manage the gidNumber, so now have all the pieces in place to
use AD as our single source of information.
sssd will now likely be the final piece that lets us get rid of NIS. It will probably be a
gradual shift as older Linux hosts drop off and new ones replace them. We will be running
both schemes for a while in parallel and since they have the same information it won't
be a problem.
The one thing we have yet to really address is automount maps and I suspect we will have
to turn on NIS in AD to get that part to work properly, or use something like puppet to
manage flat file versions of automount maps.
Hope this helps.
Greg
-----Original Message-----
From:
sssd-users-bounces@lists.fedorahosted.org<mailto:sssd-users-bounces@lists.fedorahosted.org>
[mailto:sssd-users-
bounces@lists.fedorahosted.org<mailto:bounces@lists.fedorahosted.org>] On Behalf Of
Longina Przybyszewska
Sent: Wednesday, 13 February 2013 9:28 PM
To: End-user discussions about the System Security Services Daemon
(sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedorahosted.org>)
Subject: [SSSD-users] migrating from NIS to AD+kerberos
As a continuation of sssd evaluatin we plan migration from NIS to
Active Directory+Kerberos.
Now again the question - what is the best approach and practice to
migrate users ?
AD administrators enabled SFU, and we got extended schema with POSIX
attributes.
I guess there might be some free or commercial tools for extracting
data from NIS and loading into AD -ldap objects.
Our Linux users are dispersed in separated NIS domains, and all have
AD account beside the entry in NIS.
Home directories are NFS-mounted with autofs from Linux storage
server but some users access MSWin storage with smbclient.
Can you share experiences on assigning POSTFIX attributes in SSSD
context, best practice etc..?
We would not like activate NIS services on AD server for migration.
Longina
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedorahosted.org>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org<mailto:sssd-users@lists.fedorahosted.org>
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
2805
days inactive
2810
days old
sssd-users@lists.fedorahosted.org
14 comments
5 participants
participants (5)
-
Aaron Grewell -
Greg Lehmann -
Jakub Hrozek -
Longina Przybyszewska -
Ondrej Valousek