On Thu, Jan 24, 2019 at 2:15 AM Sumit Bose sbose@redhat.com wrote:
On Wed, Jan 23, 2019 at 03:21:04PM -0500, vadud3@gmail.com wrote:
Sumit,
IT decides they won't let Linux server to join their domain.
They offered another service/API for UID/GID lookup.
Is there another way SSSD can do ID mapping and may be consume this other service for UID/GID ? Every employee has a unique UID/GID in that
service.
What kind of service/API is it?
I am still for an answer from IT. But I went to their resource and did a lookup over browser for a cuid and it gave me back a table with a unique UID and GID
If I can consume that through an API and query username and get UID/GID, is there a SSSD can make the same call to generate UID/GID for linux?
bye, Sumit
On Wed, Jan 16, 2019 at 2:21 AM Sumit Bose sbose@redhat.com wrote:
On Tue, Jan 15, 2019 at 02:19:33PM -0500, vadud3@gmail.com wrote:
On Sat, Jan 12, 2019 at 12:22 PM John Hearns <hearnsj@googlemail.com
wrote:
Emmm.. Do you need the AD Administrator password? Why?
I do not need that. I know that.
If you need to join a Linux system to the AD domain you can ask
the AD
administratoe to do this. Or you can have a service account set up on AD which has the
permissions
to join to the domain.
Right, that is what Sumit suggested as well
# realm join -U vadud3 ad.example.net Password for vadud3: See: journalctl REALMD_OPERATION=r10925.4111 realm: Couldn't join realm: Insufficient permissions to join the
domain
ad.example.net
# journalctl REALMD_OPERATION=r10925.4111 -- Logs begin at Tue 2019-01-15 08:11:19 PST, end at Tue 2019-01-15 11:14:40 PST. -- Jan 15 11:13:24 centos7 realmd[4114]: * Resolving: _ldap._ tcp.ad.example.net Jan 15 11:13:24 centos7 realmd[4114]: * Performing LDAP DSE lookup
on:
192.168.1.51 Jan 15 11:13:25 centos7 realmd[4114]: * Successfully discovered: ad.example.net Jan 15 11:13:30 centos7 realmd[4114]: * Required files:
/usr/sbin/oddjobd,
/usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net Jan 15 11:13:30 centos7 realmd[4114]: * LANG=C LOGNAME=root
/usr/bin/net
-s /var/cache/realmd/realmd-smb-conf.CDOLVZ -U vadud3 ads join ad.example.net Jan 15 11:13:39 centos7 realmd[4114]: Enter vadud3's password: Jan 15 11:13:39 centos7 realmd[4114]: Failed to join domain: User
specified
does not have administrator privileges Jan 15 11:13:39 centos7 realmd[4114]: ! Insufficient permissions to
join
the domain ad.example.net
So yes I will need an account with sufficient privilege to join AD
Is there a way to talk to AD over a proxy. For our environment that
will
reduce number of firewall update request.
I think you typically use read-only domain controllers (RODC) in a network segment where the clients are for this.
HTH
bye, Sumit
On Fri, 11 Jan 2019 at 16:03, vadud3@gmail.com wrote:
On Fri, Jan 11, 2019 at 6:50 AM Sumit Bose sbose@redhat.com
wrote:
> On Wed, Jan 09, 2019 at 12:47:34PM -0500, vadud3@gmail.com
wrote:
> > Looking for suggestion on ID mapping. > > > > I need to point to a ID provider over proxy > > > > I have not found a concrete solution or some hint about how to
setup a
> > proxy to a ID provider and how sssd can point to that proxy
for ID
> mapping. > > Can you rephrase your question? 'ID provider over proxy' should
like
you
> want some more details about SSSD's proxy provider as described
in
the
> sssd.conf man page. But this is unrelated to what I associate
typically
> with 'ID mapping'. Please give a bit more details about what you
are
> trying to achieve. > > I am looking for a ID mapping solution. I do see following
providers.
“proxy”: Support a legacy NSS provider. “local”: SSSD internal provider for local users
(DEPRECATED).
“files”: FILES provider. See sssd-files(5) for more
information on how to mirror local users and groups into SSSD.
“ldap”: LDAP provider. See sssd-ldap(5) for more
information
on configuring LDAP.
“ipa”: FreeIPA and Red Hat Enterprise Identity
Management
provider. See sssd-ipa(5) for more information on configuring FreeIPA.
“ad”: Active Directory provider. See sssd-ad(5) for
more
information on configuring Active Directory.
I am looking for a suggestion. ad - won't work as we will not be provided
Administrator
password ldap - won't work as IT says not to use LDAP and use
kerberos
instead for all things UNIX auth and to use /etc/passwd for id (yikes, we have
100s
of
servers to manage) files - I am not sure how to have a central files for
all
accounts local - seems deprecated proxy - I am not sure how to set that up, but seems
like
easier for a central ID provider?
Please advise
> bye, > Sumit > > > > > All my servers are CentOS 7. > > > > > > -- > > Asif Iqbal > > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > > A: Because it messes up the order in which people normally read
text.
> > Q: Why is top-posting such a bad thing? > > > _______________________________________________ > > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > > To unsubscribe send an email to > sssd-users-leave@lists.fedorahosted.org > > Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: >
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
> _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to
sssd-users-leave@lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: >
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
>
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read
text.
Q: Why is top-posting such a bad thing?
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to
sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to
sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to
sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to
sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...