On Thu, Jan 24, 2019 at 2:15 AM Sumit Bose <sbose(a)redhat.com>
wrote:
> On Wed, Jan 23, 2019 at 03:21:04PM -0500, vadud3(a)gmail.com wrote:
> > Sumit,
> >
> > IT decides they won't let Linux server to join their domain.
> >
> > They offered another service/API for UID/GID lookup.
> >
> > Is there another way SSSD can do ID mapping and may be consume this other
> > service for UID/GID ? Every employee has a unique UID/GID in that
> service.
>
> What kind of service/API is it?
>
I am still for an answer from IT. But I went to their resource and did a
lookup over browser for a cuid and it gave me back a table with a unique
UID and GID
If I can consume that through an API and query username and get UID/GID, is
there a SSSD can make the same call to generate UID/GID for linux?
This sounds a bit like a HTTP based API, maybe REST? However, SSSD
currently does not support this type of lookups, a new backend would be
needed for this.
What would be possible is the read the UIDs and GIDs of all required
users and groups and use sss_override (see man sss_override for details)
to add the UIDs and GIDs directly into SSSD's cache. Unfortunately this
has to be done on every client and if there are new users or groups you
have to add them with sss_override as well.
bye,
Sumit
>
> bye,
> Sumit
>
> >
> >
> >
> >
> >
> > On Wed, Jan 16, 2019 at 2:21 AM Sumit Bose <sbose(a)redhat.com> wrote:
> >
> > > On Tue, Jan 15, 2019 at 02:19:33PM -0500, vadud3(a)gmail.com wrote:
> > > > On Sat, Jan 12, 2019 at 12:22 PM John Hearns
<hearnsj(a)googlemail.com
> >
> > > wrote:
> > > >
> > > > > Emmm.. Do you need the AD Administrator password? Why?
> > > > >
> > > >
> > > > I do not need that. I know that.
> > > >
> > > >
> > > > >
> > > > > If you need to join a Linux system to the AD domain you can ask
> the AD
> > > > > administratoe to do this.
> > > > > Or you can have a service account set up on AD which has the
> > > permissions
> > > > > to join to the domain.
> > > > >
> > > >
> > > > Right, that is what Sumit suggested as well
> > > >
> > > > # realm join -U vadud3
ad.example.net
> > > > Password for vadud3:
> > > > See: journalctl REALMD_OPERATION=r10925.4111
> > > > realm: Couldn't join realm: Insufficient permissions to join the
> domain
> > > >
ad.example.net
> > > >
> > > > # journalctl REALMD_OPERATION=r10925.4111
> > > > -- Logs begin at Tue 2019-01-15 08:11:19 PST, end at Tue 2019-01-15
> > > > 11:14:40 PST. --
> > > > Jan 15 11:13:24 centos7 realmd[4114]: * Resolving: _ldap._
> > > >
tcp.ad.example.net
> > > > Jan 15 11:13:24 centos7 realmd[4114]: * Performing LDAP DSE lookup
> on:
> > > > 192.168.1.51
> > > > Jan 15 11:13:25 centos7 realmd[4114]: * Successfully discovered:
> > > >
ad.example.net
> > > > Jan 15 11:13:30 centos7 realmd[4114]: * Required files:
> > > /usr/sbin/oddjobd,
> > > > /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net
> > > > Jan 15 11:13:30 centos7 realmd[4114]: * LANG=C LOGNAME=root
> /usr/bin/net
> > > > -s /var/cache/realmd/realmd-smb-conf.CDOLVZ -U vadud3 ads join
> > > >
ad.example.net
> > > > Jan 15 11:13:39 centos7 realmd[4114]: Enter vadud3's password:
> > > > Jan 15 11:13:39 centos7 realmd[4114]: Failed to join domain: User
> > > specified
> > > > does not have administrator privileges
> > > > Jan 15 11:13:39 centos7 realmd[4114]: ! Insufficient permissions to
> join
> > > > the domain
ad.example.net
> > > >
> > > > So yes I will need an account with sufficient privilege to join AD
> > > >
> > > > Is there a way to talk to AD over a proxy. For our environment that
> will
> > > > reduce number of firewall update request.
> > >
> > > I think you typically use read-only domain controllers (RODC) in a
> > > network segment where the clients are for this.
> > >
> > > HTH
> > >
> > > bye,
> > > Sumit
> > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > > > On Fri, 11 Jan 2019 at 16:03, <vadud3(a)gmail.com> wrote:
> > > > >
> > > > >>
> > > > >>
> > > > >> On Fri, Jan 11, 2019 at 6:50 AM Sumit Bose
<sbose(a)redhat.com>
> wrote:
> > > > >>
> > > > >>> On Wed, Jan 09, 2019 at 12:47:34PM -0500,
vadud3(a)gmail.com
> wrote:
> > > > >>> > Looking for suggestion on ID mapping.
> > > > >>> >
> > > > >>> > I need to point to a ID provider over proxy
> > > > >>> >
> > > > >>> > I have not found a concrete solution or some hint
about how to
> > > setup a
> > > > >>> > proxy to a ID provider and how sssd can point to
that proxy
> for ID
> > > > >>> mapping.
> > > > >>>
> > > > >>> Can you rephrase your question? 'ID provider over
proxy' should
> like
> > > you
> > > > >>> want some more details about SSSD's proxy provider
as described
> in
> > > the
> > > > >>> sssd.conf man page. But this is unrelated to what I
associate
> > > typically
> > > > >>> with 'ID mapping'. Please give a bit more
details about what you
> are
> > > > >>> trying to achieve.
> > > > >>>
> > > > >>>
> > > > >> I am looking for a ID mapping solution. I do see following
> providers.
> > > > >>
> > > > >> “proxy”: Support a legacy NSS provider.
> > > > >>
> > > > >> “local”: SSSD internal provider for local users
> > > (DEPRECATED).
> > > > >>
> > > > >> “files”: FILES provider. See sssd-files(5) for
more
> > > > >> information on how to mirror local users and groups into
SSSD.
> > > > >>
> > > > >> “ldap”: LDAP provider. See sssd-ldap(5) for more
> > > information
> > > > >> on configuring LDAP.
> > > > >>
> > > > >> “ipa”: FreeIPA and Red Hat Enterprise Identity
> Management
> > > > >> provider. See sssd-ipa(5) for more information on
> > > > >> configuring FreeIPA.
> > > > >>
> > > > >> “ad”: Active Directory provider. See sssd-ad(5)
for
> more
> > > > >> information on configuring Active Directory.
> > > > >>
> > > > >> I am looking for a suggestion.
> > > > >> ad - won't work as we will not be provided
> Administrator
> > > > >> password
> > > > >> ldap - won't work as IT says not to use LDAP
and use
> > > kerberos
> > > > >> instead for all things UNIX auth
> > > > >> and to use /etc/passwd for id (yikes, we
have
> 100s
> > > of
> > > > >> servers to manage)
> > > > >> files - I am not sure how to have a central files
for
> all
> > > > >> accounts
> > > > >> local - seems deprecated
> > > > >> proxy - I am not sure how to set that up, but
seems
> like
> > > > >> easier for a central ID provider?
> > > > >>
> > > > >> Please advise
> > > > >>
> > > > >>
> > > > >>
> > > > >>
> > > > >>
> > > > >>
> > > > >>
> > > > >>> bye,
> > > > >>> Sumit
> > > > >>>
> > > > >>> >
> > > > >>> > All my servers are CentOS 7.
> > > > >>> >
> > > > >>> >
> > > > >>> > --
> > > > >>> > Asif Iqbal
> > > > >>> > PGP Key: 0xE62693C5 KeyServer:
pgp.mit.edu
> > > > >>> > A: Because it messes up the order in which people
normally read
> > > text.
> > > > >>> > Q: Why is top-posting such a bad thing?
> > > > >>>
> > > > >>> > _______________________________________________
> > > > >>> > sssd-users mailing list --
sssd-users(a)lists.fedorahosted.org
> > > > >>> > To unsubscribe send an email to
> > > > >>> sssd-users-leave(a)lists.fedorahosted.org
> > > > >>> > Fedora Code of Conduct:
>
https://getfedora.org/code-of-conduct.html
> > > > >>> > List Guidelines:
> > > > >>>
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > >>> > List Archives:
> > > > >>>
> > >
>
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> > > > >>> _______________________________________________
> > > > >>> sssd-users mailing list --
sssd-users(a)lists.fedorahosted.org
> > > > >>> To unsubscribe send an email to
> > > sssd-users-leave(a)lists.fedorahosted.org
> > > > >>> Fedora Code of Conduct:
>
https://getfedora.org/code-of-conduct.html
> > > > >>> List Guidelines:
> > >
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > >>> List Archives:
> > > > >>>
> > >
>
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> > > > >>>
> > > > >>
> > > > >>
> > > > >> --
> > > > >> Asif Iqbal
> > > > >> PGP Key: 0xE62693C5 KeyServer:
pgp.mit.edu
> > > > >> A: Because it messes up the order in which people normally
read
> text.
> > > > >> Q: Why is top-posting such a bad thing?
> > > > >>
> > > > >> _______________________________________________
> > > > >> sssd-users mailing list --
sssd-users(a)lists.fedorahosted.org
> > > > >> To unsubscribe send an email to
> > > sssd-users-leave(a)lists.fedorahosted.org
> > > > >> Fedora Code of Conduct:
>
https://getfedora.org/code-of-conduct.html
> > > > >> List Guidelines:
> > >
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > >> List Archives:
> > > > >>
> > >
>
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> > > > >>
> > > > > _______________________________________________
> > > > > sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> > > > > To unsubscribe send an email to
> > > sssd-users-leave(a)lists.fedorahosted.org
> > > > > Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> > > > > List Guidelines:
> > >
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > > List Archives:
> > > > >
> > >
>
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> > > > >
> > > >
> > > >
> > > > --
> > > > Asif Iqbal
> > > > PGP Key: 0xE62693C5 KeyServer:
pgp.mit.edu
> > > > A: Because it messes up the order in which people normally read
text.
> > > > Q: Why is top-posting such a bad thing?
> > >
> > > > _______________________________________________
> > > > sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> > > > To unsubscribe send an email to
> sssd-users-leave(a)lists.fedorahosted.org
> > > > Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> > > > List Guidelines:
>
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > > List Archives:
> > >
>
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> > > _______________________________________________
> > > sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> > > To unsubscribe send an email to
> sssd-users-leave(a)lists.fedorahosted.org
> > > Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> > > List Guidelines:
>
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > > List Archives:
> > >
>
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> > >
> >
> >
> > --
> > Asif Iqbal
> > PGP Key: 0xE62693C5 KeyServer:
pgp.mit.edu
> > A: Because it messes up the order in which people normally read text.
> > Q: Why is top-posting such a bad thing?
>
> > _______________________________________________
> > sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> > To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> > Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
>
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
>
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
>
--
Asif Iqbal
PGP Key: 0xE62693C5 KeyServer:
pgp.mit.edu
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?