On Sat, Jan 12, 2019 at 12:22 PM John Hearns hearnsj@googlemail.com wrote:
Emmm.. Do you need the AD Administrator password? Why?
I do not need that. I know that.
If you need to join a Linux system to the AD domain you can ask the AD administratoe to do this. Or you can have a service account set up on AD which has the permissions to join to the domain.
Right, that is what Sumit suggested as well
# realm join -U vadud3 ad.example.net Password for vadud3: See: journalctl REALMD_OPERATION=r10925.4111 realm: Couldn't join realm: Insufficient permissions to join the domain ad.example.net
# journalctl REALMD_OPERATION=r10925.4111 -- Logs begin at Tue 2019-01-15 08:11:19 PST, end at Tue 2019-01-15 11:14:40 PST. -- Jan 15 11:13:24 centos7 realmd[4114]: * Resolving: _ldap._ tcp.ad.example.net Jan 15 11:13:24 centos7 realmd[4114]: * Performing LDAP DSE lookup on: 192.168.1.51 Jan 15 11:13:25 centos7 realmd[4114]: * Successfully discovered: ad.example.net Jan 15 11:13:30 centos7 realmd[4114]: * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net Jan 15 11:13:30 centos7 realmd[4114]: * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.CDOLVZ -U vadud3 ads join ad.example.net Jan 15 11:13:39 centos7 realmd[4114]: Enter vadud3's password: Jan 15 11:13:39 centos7 realmd[4114]: Failed to join domain: User specified does not have administrator privileges Jan 15 11:13:39 centos7 realmd[4114]: ! Insufficient permissions to join the domain ad.example.net
So yes I will need an account with sufficient privilege to join AD
Is there a way to talk to AD over a proxy. For our environment that will reduce number of firewall update request.
On Fri, 11 Jan 2019 at 16:03, vadud3@gmail.com wrote:
On Fri, Jan 11, 2019 at 6:50 AM Sumit Bose sbose@redhat.com wrote:
On Wed, Jan 09, 2019 at 12:47:34PM -0500, vadud3@gmail.com wrote:
Looking for suggestion on ID mapping.
I need to point to a ID provider over proxy
I have not found a concrete solution or some hint about how to setup a proxy to a ID provider and how sssd can point to that proxy for ID
mapping.
Can you rephrase your question? 'ID provider over proxy' should like you want some more details about SSSD's proxy provider as described in the sssd.conf man page. But this is unrelated to what I associate typically with 'ID mapping'. Please give a bit more details about what you are trying to achieve.
I am looking for a ID mapping solution. I do see following providers.
“proxy”: Support a legacy NSS provider. “local”: SSSD internal provider for local users (DEPRECATED). “files”: FILES provider. See sssd-files(5) for more
information on how to mirror local users and groups into SSSD.
“ldap”: LDAP provider. See sssd-ldap(5) for more information
on configuring LDAP.
“ipa”: FreeIPA and Red Hat Enterprise Identity Management
provider. See sssd-ipa(5) for more information on configuring FreeIPA.
“ad”: Active Directory provider. See sssd-ad(5) for more
information on configuring Active Directory.
I am looking for a suggestion. ad - won't work as we will not be provided Administrator password ldap - won't work as IT says not to use LDAP and use kerberos instead for all things UNIX auth and to use /etc/passwd for id (yikes, we have 100s of servers to manage) files - I am not sure how to have a central files for all accounts local - seems deprecated proxy - I am not sure how to set that up, but seems like easier for a central ID provider?
Please advise
bye, Sumit
All my servers are CentOS 7.
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to
sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...