On 25/08/14 13:44, Andre Pitanga wrote:
Hi Rowland,
You cannot have a 'user' object and a 'group' object with the same name,
I know that, that's what I pose in my original post if you read it. The sAMAccountName has to be unique, but this doesn't seem to apply to disply name, for example.
Yes, I did read it, so 'display name' doesn't have to be unique, so what, does anything actually use this attribute in authentication ?
further more, the example you give is a 'local unix' user and should not be put into AD. If you did put them into AD, you would have to remove them from /etc/passwd and if the domain went down for some reason, you would have NO USERS at all.
So what? Does sssd not provide local credentials caching? Isn't AD fault-tolerant/ highly-available across several hosts? Housing Linux "service accounts" in AD is a very common practice.
Yes, sssd does provide caching, but what happens if the cache gets corrupt ? Yes AD is fault tolerant but I still think it is a bad idea to put Linux 'service accounts' into AD and as for 'housing' them in AD being a common practice, I personally have never heard of it.
If you are going to use AD, then I suggest that you do a bit more research, it will not work the way you want it to, this has nothing to do with sssd.
Based on your response it would seem this advice applies more to yourself : )
No, I am a practical person and do my research and will not do anything stupid in production, you might want to, but I cannot advise it.
Rowland
-AP