=== SSSD 1.11.5 ===
The SSSD team is proud to announce the release of version 1.11.5 of the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora 19, 20 and rawhide shortly.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* This release focuses primarily on bug fixes. * The release addresses an issue where the SSSD was not able to detect all domains in the forest if it was connected to an AD DC which was not the forest root * A new AD sudo provider was introduced. Setting sudo_provider=ad uses the same connection options as id_provider=ad, which simplifies the configuration for users who store sudo rules on an Active Directory server. * The ID mapping ranges are checked for collisions before being used, making SSSD more robust in cases where the ranges would collide * Password changes when using OTPs with an IPA server are now supported. Please note that this functionality is not present in the released FreeIPA versions yet. * Several bugs related to setting an SELinux user context from an IPA server were fixed
== Documentation Changes ==
* A new pam_sss option ignore_unknown_user was added. Setting this option makes pam_sss return PAM_IGNORE when processing an uknown user instead of PAM_USER_UNKNOWN. This option is mostly useful for BSD systems.
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/1955 SSSD pam module accepts usernames with leading spaces https://fedorahosted.org/sssd/ticket/1958 [RFE] Expose the list of trusted domains to IPA https://fedorahosted.org/sssd/ticket/2153 If both IPA and LDAP are set up with enumeration on, two enum tasks are running https://fedorahosted.org/sssd/ticket/2218 sssd.conf man pages don't list a configuration option. https://fedorahosted.org/sssd/ticket/2226 Make SSSD compilable on systems with non-standard paths to krb5 includes https://fedorahosted.org/sssd/ticket/2232 [freebsd] pam_sss: add ignore_unknown_user option https://fedorahosted.org/sssd/ticket/2235 MAN: Remove misleading memberof example from ldap_access_filter example https://fedorahosted.org/sssd/ticket/2251 not retrieving homedirs of AD users with posix attributes https://fedorahosted.org/sssd/ticket/2252 Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes https://fedorahosted.org/sssd/ticket/2253 Check IPA idranges before saving them to the cache https://fedorahosted.org/sssd/ticket/2256 Evaluate usage of sudo LDAP provider together with the AD provider https://fedorahosted.org/sssd/ticket/2257 Setting int option to 0 yields the default value https://fedorahosted.org/sssd/ticket/2263 ipa-server-mode: Use lower-case user name component in home dir path https://fedorahosted.org/sssd/ticket/2264 SSSD Does not cache SELinux map from FreeIPA correctly https://fedorahosted.org/sssd/ticket/2270 IPA SELinux code looks for the host in the wrong sysdb subdir when a trusted user logs in https://fedorahosted.org/sssd/ticket/2271 sssd fails to handle expired passwords when OTP is used https://fedorahosted.org/sssd/ticket/2279 Add another Kerberos error code to trigger IPA password migration https://fedorahosted.org/sssd/ticket/2280 Double OK when starting the service https://fedorahosted.org/sssd/ticket/2282 SSSD should create the SELinux mapping file with format expected by pam_selinux https://fedorahosted.org/sssd/ticket/2284 Valgrind: Invalid read of int while processing netgroup https://fedorahosted.org/sssd/ticket/2285 other subdomains are unavailable when joined to a subdomain in the ad forest https://fedorahosted.org/sssd/ticket/2289 Error during password change https://fedorahosted.org/sssd/ticket/2293 configure time variables not expanded when running ./configure https://fedorahosted.org/sssd/ticket/2300 RHEL7 IPA selinuxusermap hbac rule not always matching
== Detailed Changelog ==
Alexey Shabalin (1): * Use KRB5_CFLAGS where appropriate
Jakub Hrozek (16): * Updating the version for the 1.11.5 release * IPA: Don't call tevent_req_post outside _send * IPA: Don't fail if apply_subdomain_homedir returns ENOENT * OPTS: Allow using defaults for blobs * DP: Provide separate dp_copy_defaults function * MAN: Clarify the ldap_access_filter option further * MAN: Clarify that changing ID mapping options might require purging the cache * IPA: Do not save intermediate data to sysdb * AD: Only connect to GC for subdomain users * MAN: Clarify the GC support a bit * IPA: Use the correct domain when processing SELinux rules * IPA: Write SELinux usernames in the right case * KRB5: Do not attempt to get a TGT after a password change using OTP * AD: connect to forest root when downloading the list of subdomains * IPA: Fix SELinux mapping order memory hierarchy * Updating the translations for the 1.11.5 release
Lukas Slebodnik (10): * SPEC: Use systemd on available platforms * LDAP: Setup periodic task only once. * UTIL: Sanitize whitespaces. * DOC: Fix names of arguments in doxygen comments * AD: Continue if sssd failes to check extra members * SYSV: Do not call functions success and fail itself * IPA: Use function sysdb_attrs_get_el in safe way * Makefile: Add missing library to the dp_opt_tests * TESTS: Link libsss_test_common with tevent * Makefile: Use alternative method to replace *bindir
Michal Zidek (1): * Possible null dereference in SELinux code
Nathaniel McCallum (1): * Fix krb5 changepw when FAST-only preauth methods are used (like OTP)
Pete Fritchman (1): * PAM: add ignore_unknown_user option
Stef Walter (1): * providers: Fix types passed to dbus varargs functions
Sumit Bose (13): * IDMAP: add sss_idmap_check_collision(_ex) * IPA: refactor idmap code and add test * IPA: check ranges for collisions before saving them * libsss_idmap: bump version-info * config API: add missing subdomain target to AD provider test * SUDO: AD provider * ipa-server-mode: use lower-case user name for home dir * IPA: Use GC for AD initgroup requests * IPA/KRB5: handle KRB5_PROG_ETYPE_NOSUPP during IPA password migration * krb5_child: remove unused option lifetime_str from k5c_setup_fast() * krb5-child: extract lifetime settings into set_lifetime_options() * krb5_client: rename krb5_set_canonicalize() to set_canonicalize_option() * krb5-child: add revert_changepw_options()
Hi Jakub,
Great news, I have questions: 1. If we use AD as the sudo provider, does it mean the same ldap schema is expected for sudo rules? If yes, it would mean system admin would have to extend the AD schema to accommodate the SUDO needs, right? 2. Is something similar possible with the autofs provider? I.e. "autofs_provider = ad"?
Thanks, Ondrej ________________________________________ From: sssd-users-bounces@lists.fedorahosted.org [sssd-users-bounces@lists.fedorahosted.org] on behalf of Jakub Hrozek [jhrozek@redhat.com] Sent: Tuesday, April 08, 2014 1:31 PM To: sssd-devel@lists.fedorahosted.org; sssd-users@lists.fedorahosted.org; freeipa-interest@redhat.com Subject: [SSSD-users] Announcing SSSD 1.11.5
=== SSSD 1.11.5 ===
The SSSD team is proud to announce the release of version 1.11.5 of the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora 19, 20 and rawhide shortly.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
* This release focuses primarily on bug fixes. * The release addresses an issue where the SSSD was not able to detect all domains in the forest if it was connected to an AD DC which was not the forest root * A new AD sudo provider was introduced. Setting sudo_provider=ad uses the same connection options as id_provider=ad, which simplifies the configuration for users who store sudo rules on an Active Directory server. * The ID mapping ranges are checked for collisions before being used, making SSSD more robust in cases where the ranges would collide * Password changes when using OTPs with an IPA server are now supported. Please note that this functionality is not present in the released FreeIPA versions yet. * Several bugs related to setting an SELinux user context from an IPA server were fixed
== Documentation Changes ==
* A new pam_sss option ignore_unknown_user was added. Setting this option makes pam_sss return PAM_IGNORE when processing an uknown user instead of PAM_USER_UNKNOWN. This option is mostly useful for BSD systems.
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/1955 SSSD pam module accepts usernames with leading spaces https://fedorahosted.org/sssd/ticket/1958 [RFE] Expose the list of trusted domains to IPA https://fedorahosted.org/sssd/ticket/2153 If both IPA and LDAP are set up with enumeration on, two enum tasks are running https://fedorahosted.org/sssd/ticket/2218 sssd.conf man pages don't list a configuration option. https://fedorahosted.org/sssd/ticket/2226 Make SSSD compilable on systems with non-standard paths to krb5 includes https://fedorahosted.org/sssd/ticket/2232 [freebsd] pam_sss: add ignore_unknown_user option https://fedorahosted.org/sssd/ticket/2235 MAN: Remove misleading memberof example from ldap_access_filter example https://fedorahosted.org/sssd/ticket/2251 not retrieving homedirs of AD users with posix attributes https://fedorahosted.org/sssd/ticket/2252 Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes https://fedorahosted.org/sssd/ticket/2253 Check IPA idranges before saving them to the cache https://fedorahosted.org/sssd/ticket/2256 Evaluate usage of sudo LDAP provider together with the AD provider https://fedorahosted.org/sssd/ticket/2257 Setting int option to 0 yields the default value https://fedorahosted.org/sssd/ticket/2263 ipa-server-mode: Use lower-case user name component in home dir path https://fedorahosted.org/sssd/ticket/2264 SSSD Does not cache SELinux map from FreeIPA correctly https://fedorahosted.org/sssd/ticket/2270 IPA SELinux code looks for the host in the wrong sysdb subdir when a trusted user logs in https://fedorahosted.org/sssd/ticket/2271 sssd fails to handle expired passwords when OTP is used https://fedorahosted.org/sssd/ticket/2279 Add another Kerberos error code to trigger IPA password migration https://fedorahosted.org/sssd/ticket/2280 Double OK when starting the service https://fedorahosted.org/sssd/ticket/2282 SSSD should create the SELinux mapping file with format expected by pam_selinux https://fedorahosted.org/sssd/ticket/2284 Valgrind: Invalid read of int while processing netgroup https://fedorahosted.org/sssd/ticket/2285 other subdomains are unavailable when joined to a subdomain in the ad forest https://fedorahosted.org/sssd/ticket/2289 Error during password change https://fedorahosted.org/sssd/ticket/2293 configure time variables not expanded when running ./configure https://fedorahosted.org/sssd/ticket/2300 RHEL7 IPA selinuxusermap hbac rule not always matching
== Detailed Changelog ==
Alexey Shabalin (1): * Use KRB5_CFLAGS where appropriate
Jakub Hrozek (16): * Updating the version for the 1.11.5 release * IPA: Don't call tevent_req_post outside _send * IPA: Don't fail if apply_subdomain_homedir returns ENOENT * OPTS: Allow using defaults for blobs * DP: Provide separate dp_copy_defaults function * MAN: Clarify the ldap_access_filter option further * MAN: Clarify that changing ID mapping options might require purging the cache * IPA: Do not save intermediate data to sysdb * AD: Only connect to GC for subdomain users * MAN: Clarify the GC support a bit * IPA: Use the correct domain when processing SELinux rules * IPA: Write SELinux usernames in the right case * KRB5: Do not attempt to get a TGT after a password change using OTP * AD: connect to forest root when downloading the list of subdomains * IPA: Fix SELinux mapping order memory hierarchy * Updating the translations for the 1.11.5 release
Lukas Slebodnik (10): * SPEC: Use systemd on available platforms * LDAP: Setup periodic task only once. * UTIL: Sanitize whitespaces. * DOC: Fix names of arguments in doxygen comments * AD: Continue if sssd failes to check extra members * SYSV: Do not call functions success and fail itself * IPA: Use function sysdb_attrs_get_el in safe way * Makefile: Add missing library to the dp_opt_tests * TESTS: Link libsss_test_common with tevent * Makefile: Use alternative method to replace *bindir
Michal Zidek (1): * Possible null dereference in SELinux code
Nathaniel McCallum (1): * Fix krb5 changepw when FAST-only preauth methods are used (like OTP)
Pete Fritchman (1): * PAM: add ignore_unknown_user option
Stef Walter (1): * providers: Fix types passed to dbus varargs functions
Sumit Bose (13): * IDMAP: add sss_idmap_check_collision(_ex) * IPA: refactor idmap code and add test * IPA: check ranges for collisions before saving them * libsss_idmap: bump version-info * config API: add missing subdomain target to AD provider test * SUDO: AD provider * ipa-server-mode: use lower-case user name for home dir * IPA: Use GC for AD initgroup requests * IPA/KRB5: handle KRB5_PROG_ETYPE_NOSUPP during IPA password migration * krb5_child: remove unused option lifetime_str from k5c_setup_fast() * krb5-child: extract lifetime settings into set_lifetime_options() * krb5_client: rename krb5_set_canonicalize() to set_canonicalize_option() * krb5-child: add revert_changepw_options()
_______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On 04/09/2014 09:03 AM, Ondrej Valousek wrote:
Hi Jakub,
Great news, I have questions:
- If we use AD as the sudo provider, does it mean the same ldap schema is expected for sudo rules? If yes, it would mean system admin would have to extend the AD schema to accommodate the SUDO needs, right?
I think there is a standard sudoers schema that SUDO expects. You need to load it into your AD if you want to get it from AD. But you might be better off using IPA for that.
- Is something similar possible with the autofs provider? I.e. "autofs_provider = ad"?
Not at the moment.
Thanks, Ondrej ________________________________________ From: sssd-users-bounces@lists.fedorahosted.org [sssd-users-bounces@lists.fedorahosted.org] on behalf of Jakub Hrozek [jhrozek@redhat.com] Sent: Tuesday, April 08, 2014 1:31 PM To: sssd-devel@lists.fedorahosted.org; sssd-users@lists.fedorahosted.org; freeipa-interest@redhat.com Subject: [SSSD-users] Announcing SSSD 1.11.5
=== SSSD 1.11.5 ===
The SSSD team is proud to announce the release of version 1.11.5 of the System Security Services Daemon.
As always, the source is available from https://fedorahosted.org/sssd
RPM packages will be made available for Fedora 19, 20 and rawhide shortly.
== Feedback ==
Please provide comments, bugs and other feedback via the sssd-devel or sssd-users mailing lists: https://lists.fedorahosted.org/mailman/listinfo/sssd-devel https://lists.fedorahosted.org/mailman/listinfo/sssd-users
== Highlights ==
- This release focuses primarily on bug fixes.
- The release addresses an issue where the SSSD was not able to detect all domains in the forest if it was connected to an AD DC which was not the forest root
- A new AD sudo provider was introduced. Setting sudo_provider=ad uses the same connection options as id_provider=ad, which simplifies the configuration for users who store sudo rules on an Active Directory server.
- The ID mapping ranges are checked for collisions before being used, making SSSD more robust in cases where the ranges would collide
- Password changes when using OTPs with an IPA server are now supported. Please note that this functionality is not present in the released FreeIPA versions yet.
- Several bugs related to setting an SELinux user context from an IPA server were fixed
== Documentation Changes ==
- A new pam_sss option ignore_unknown_user was added. Setting this option makes pam_sss return PAM_IGNORE when processing an uknown user instead of PAM_USER_UNKNOWN. This option is mostly useful for BSD systems.
== Tickets Fixed ==
https://fedorahosted.org/sssd/ticket/1955 SSSD pam module accepts usernames with leading spaces https://fedorahosted.org/sssd/ticket/1958 [RFE] Expose the list of trusted domains to IPA https://fedorahosted.org/sssd/ticket/2153 If both IPA and LDAP are set up with enumeration on, two enum tasks are running https://fedorahosted.org/sssd/ticket/2218 sssd.conf man pages don't list a configuration option. https://fedorahosted.org/sssd/ticket/2226 Make SSSD compilable on systems with non-standard paths to krb5 includes https://fedorahosted.org/sssd/ticket/2232 [freebsd] pam_sss: add ignore_unknown_user option https://fedorahosted.org/sssd/ticket/2235 MAN: Remove misleading memberof example from ldap_access_filter example https://fedorahosted.org/sssd/ticket/2251 not retrieving homedirs of AD users with posix attributes https://fedorahosted.org/sssd/ticket/2252 Document that `sssd` cache needs to be cleared manually, if ID mapping configuration changes https://fedorahosted.org/sssd/ticket/2253 Check IPA idranges before saving them to the cache https://fedorahosted.org/sssd/ticket/2256 Evaluate usage of sudo LDAP provider together with the AD provider https://fedorahosted.org/sssd/ticket/2257 Setting int option to 0 yields the default value https://fedorahosted.org/sssd/ticket/2263 ipa-server-mode: Use lower-case user name component in home dir path https://fedorahosted.org/sssd/ticket/2264 SSSD Does not cache SELinux map from FreeIPA correctly https://fedorahosted.org/sssd/ticket/2270 IPA SELinux code looks for the host in the wrong sysdb subdir when a trusted user logs in https://fedorahosted.org/sssd/ticket/2271 sssd fails to handle expired passwords when OTP is used https://fedorahosted.org/sssd/ticket/2279 Add another Kerberos error code to trigger IPA password migration https://fedorahosted.org/sssd/ticket/2280 Double OK when starting the service https://fedorahosted.org/sssd/ticket/2282 SSSD should create the SELinux mapping file with format expected by pam_selinux https://fedorahosted.org/sssd/ticket/2284 Valgrind: Invalid read of int while processing netgroup https://fedorahosted.org/sssd/ticket/2285 other subdomains are unavailable when joined to a subdomain in the ad forest https://fedorahosted.org/sssd/ticket/2289 Error during password change https://fedorahosted.org/sssd/ticket/2293 configure time variables not expanded when running ./configure https://fedorahosted.org/sssd/ticket/2300 RHEL7 IPA selinuxusermap hbac rule not always matching
== Detailed Changelog ==
Alexey Shabalin (1): * Use KRB5_CFLAGS where appropriate
Jakub Hrozek (16): * Updating the version for the 1.11.5 release * IPA: Don't call tevent_req_post outside _send * IPA: Don't fail if apply_subdomain_homedir returns ENOENT * OPTS: Allow using defaults for blobs * DP: Provide separate dp_copy_defaults function * MAN: Clarify the ldap_access_filter option further * MAN: Clarify that changing ID mapping options might require purging the cache * IPA: Do not save intermediate data to sysdb * AD: Only connect to GC for subdomain users * MAN: Clarify the GC support a bit * IPA: Use the correct domain when processing SELinux rules * IPA: Write SELinux usernames in the right case * KRB5: Do not attempt to get a TGT after a password change using OTP * AD: connect to forest root when downloading the list of subdomains * IPA: Fix SELinux mapping order memory hierarchy * Updating the translations for the 1.11.5 release
Lukas Slebodnik (10): * SPEC: Use systemd on available platforms * LDAP: Setup periodic task only once. * UTIL: Sanitize whitespaces. * DOC: Fix names of arguments in doxygen comments * AD: Continue if sssd failes to check extra members * SYSV: Do not call functions success and fail itself * IPA: Use function sysdb_attrs_get_el in safe way * Makefile: Add missing library to the dp_opt_tests * TESTS: Link libsss_test_common with tevent * Makefile: Use alternative method to replace *bindir
Michal Zidek (1): * Possible null dereference in SELinux code
Nathaniel McCallum (1): * Fix krb5 changepw when FAST-only preauth methods are used (like OTP)
Pete Fritchman (1): * PAM: add ignore_unknown_user option
Stef Walter (1): * providers: Fix types passed to dbus varargs functions
Sumit Bose (13): * IDMAP: add sss_idmap_check_collision(_ex) * IPA: refactor idmap code and add test * IPA: check ranges for collisions before saving them * libsss_idmap: bump version-info * config API: add missing subdomain target to AD provider test * SUDO: AD provider * ipa-server-mode: use lower-case user name for home dir * IPA: Use GC for AD initgroup requests * IPA/KRB5: handle KRB5_PROG_ETYPE_NOSUPP during IPA password migration * krb5_child: remove unused option lifetime_str from k5c_setup_fast() * krb5-child: extract lifetime settings into set_lifetime_options() * krb5_client: rename krb5_set_canonicalize() to set_canonicalize_option() * krb5-child: add revert_changepw_options()
sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Wed, Apr 09, 2014 at 01:03:38PM +0000, Ondrej Valousek wrote:
Hi Jakub,
Great news, I have questions:
- If we use AD as the sudo provider, does it mean the same ldap schema is expected for sudo rules? If yes, it would mean system admin would have to extend the AD schema to accommodate the SUDO needs, right?
Yes, we expect the same schema as described in http://www.sudo.ws/sudo/sudoers.ldap.man.html
Maybe it would be also helpful to see how I tested the feature and compare that with your environment: https://lists.fedorahosted.org/pipermail/sssd-devel/2014-February/018663.htm...
- Is something similar possible with the autofs provider? I.e. "autofs_provider = ad"?
Yes, but nobody wrote the patch so far. The patch would be nearly trivial, but the big question for me so far was -- what schema is mostly used for automounter maps in AD environments? We need to set some reasonable defaults.
Thanks Jakub,
Is the link to the schema mentioned somewhere? I can not find it on the wiki page of the project. As of the automounter, I would vote for using RFC2307 automounter schema when dealing with the AD. I.e. the following mapping:
ldap_autofs_entry_key = cn ldap_autofs_entry_object_class = nisObject ldap_autofs_entry_value = nisMapEntry ldap_autofs_map_name = nisMapName ldap_autofs_map_object_class = nisMap
The advantage is that: - RFC2307 is still a standard 9albeit bit older than RFC2307bis) - you do not have to extend the AD schema for this (which could be a troublesome operation in many companies)
And besides, I am using this configuration happily for quite some time :) Ondrej
________________________________________ From: sssd-users-bounces@lists.fedorahosted.org [sssd-users-bounces@lists.fedorahosted.org] on behalf of Jakub Hrozek [jhrozek@redhat.com] Sent: Wednesday, April 09, 2014 6:58 PM To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] Announcing SSSD 1.11.5
On Wed, Apr 09, 2014 at 01:03:38PM +0000, Ondrej Valousek wrote:
Hi Jakub,
Great news, I have questions:
- If we use AD as the sudo provider, does it mean the same ldap schema is expected for sudo rules? If yes, it would mean system admin would have to extend the AD schema to accommodate the SUDO needs, right?
Yes, we expect the same schema as described in http://www.sudo.ws/sudo/sudoers.ldap.man.html
Maybe it would be also helpful to see how I tested the feature and compare that with your environment: https://lists.fedorahosted.org/pipermail/sssd-devel/2014-February/018663.htm...
- Is something similar possible with the autofs provider? I.e. "autofs_provider = ad"?
Yes, but nobody wrote the patch so far. The patch would be nearly trivial, but the big question for me so far was -- what schema is mostly used for automounter maps in AD environments? We need to set some reasonable defaults. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Thu, Apr 10, 2014 at 08:28:21AM +0000, Ondrej Valousek wrote:
Thanks Jakub,
Is the link to the schema mentioned somewhere? I can not find it on the wiki page of the project. As of the automounter, I would vote for using RFC2307 automounter schema when dealing with the AD. I.e. the following mapping:
ldap_autofs_entry_key = cn ldap_autofs_entry_object_class = nisObject ldap_autofs_entry_value = nisMapEntry ldap_autofs_map_name = nisMapName ldap_autofs_map_object_class = nisMap
The advantage is that:
- RFC2307 is still a standard 9albeit bit older than RFC2307bis)
- you do not have to extend the AD schema for this (which could be a troublesome operation in many companies)
And besides, I am using this configuration happily for quite some time :) Ondrej
See https://fedorahosted.org/sssd/wiki/DesignDocs/AutofsIntegration#TheLDAPschem...
So you're using the "NIS schema" which we currently don't have a shorthand for. We could make that the default for AD, but is this combination used commonly for AD autofs or just in your setup?
As far as I know there is no "default for AD" as I do knot know of anyone else using SSSD with the AD backend for autofs integration :/. The fact is that AD has RFC2307 (i.e. NIS schema) already built in (for the use of its "server for NIS") so my approach is more/less "least pain" option :).
Ondrej ________________________________________ From: sssd-users-bounces@lists.fedorahosted.org [sssd-users-bounces@lists.fedorahosted.org] on behalf of Jakub Hrozek [jhrozek@redhat.com] Sent: Thursday, April 10, 2014 10:50 AM To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] Announcing SSSD 1.11.5
On Thu, Apr 10, 2014 at 08:28:21AM +0000, Ondrej Valousek wrote:
Thanks Jakub,
Is the link to the schema mentioned somewhere? I can not find it on the wiki page of the project. As of the automounter, I would vote for using RFC2307 automounter schema when dealing with the AD. I.e. the following mapping:
ldap_autofs_entry_key = cn ldap_autofs_entry_object_class = nisObject ldap_autofs_entry_value = nisMapEntry ldap_autofs_map_name = nisMapName ldap_autofs_map_object_class = nisMap
The advantage is that:
- RFC2307 is still a standard 9albeit bit older than RFC2307bis)
- you do not have to extend the AD schema for this (which could be a troublesome operation in many companies)
And besides, I am using this configuration happily for quite some time :) Ondrej
See https://fedorahosted.org/sssd/wiki/DesignDocs/AutofsIntegration#TheLDAPschem...
So you're using the "NIS schema" which we currently don't have a shorthand for. We could make that the default for AD, but is this combination used commonly for AD autofs or just in your setup? _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
I think the cleanest solution would be to make "autofs_provider = ad" working while expecting the true automount schema (rfc2307bis) on the AD side. I can always remap it to my NIS schema as I do now.... O.
________________________________________ From: sssd-users-bounces@lists.fedorahosted.org [sssd-users-bounces@lists.fedorahosted.org] on behalf of Ondrej Valousek Sent: Thursday, April 10, 2014 11:21 AM To: End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] Announcing SSSD 1.11.5
As far as I know there is no "default for AD" as I do knot know of anyone else using SSSD with the AD backend for autofs integration :/. The fact is that AD has RFC2307 (i.e. NIS schema) already built in (for the use of its "server for NIS") so my approach is more/less "least pain" option :).
Ondrej ________________________________________ From: sssd-users-bounces@lists.fedorahosted.org [sssd-users-bounces@lists.fedorahosted.org] on behalf of Jakub Hrozek [jhrozek@redhat.com] Sent: Thursday, April 10, 2014 10:50 AM To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] Announcing SSSD 1.11.5
On Thu, Apr 10, 2014 at 08:28:21AM +0000, Ondrej Valousek wrote:
Thanks Jakub,
Is the link to the schema mentioned somewhere? I can not find it on the wiki page of the project. As of the automounter, I would vote for using RFC2307 automounter schema when dealing with the AD. I.e. the following mapping:
ldap_autofs_entry_key = cn ldap_autofs_entry_object_class = nisObject ldap_autofs_entry_value = nisMapEntry ldap_autofs_map_name = nisMapName ldap_autofs_map_object_class = nisMap
The advantage is that:
- RFC2307 is still a standard 9albeit bit older than RFC2307bis)
- you do not have to extend the AD schema for this (which could be a troublesome operation in many companies)
And besides, I am using this configuration happily for quite some time :) Ondrej
See https://fedorahosted.org/sssd/wiki/DesignDocs/AutofsIntegration#TheLDAPschem...
So you're using the "NIS schema" which we currently don't have a shorthand for. We could make that the default for AD, but is this combination used commonly for AD autofs or just in your setup? _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
On Thu, Apr 10, 2014 at 10:28:15AM +0000, Ondrej Valousek wrote:
I think the cleanest solution would be to make "autofs_provider = ad" working while expecting the true automount schema (rfc2307bis) on the AD side. I can always remap it to my NIS schema as I do now.... O.
Yeah, that would be my preference as well. I did a quick google search, but didn't find any document that would describe what is the most widely used schema for using autofs maps with AD.
But you're right the schema can be re-mapped, not having to define the LDAP connection properties would be worth the effort.
How can I find out if my AD supports RFC2307 automounter schema?
longina -----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Ondrej Valousek Sent: 10. april 2014 10:28 To: End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] Announcing SSSD 1.11.5
Thanks Jakub,
Is the link to the schema mentioned somewhere? I can not find it on the wiki page of the project. As of the automounter, I would vote for using RFC2307 automounter schema when dealing with the AD. I.e. the following mapping:
ldap_autofs_entry_key = cn ldap_autofs_entry_object_class = nisObject ldap_autofs_entry_value = nisMapEntry ldap_autofs_map_name = nisMapName ldap_autofs_map_object_class = nisMap
The advantage is that: - RFC2307 is still a standard 9albeit bit older than RFC2307bis) - you do not have to extend the AD schema for this (which could be a troublesome operation in many companies)
And besides, I am using this configuration happily for quite some time :) Ondrej
________________________________________ From: sssd-users-bounces@lists.fedorahosted.org [sssd-users-bounces@lists.fedorahosted.org] on behalf of Jakub Hrozek [jhrozek@redhat.com] Sent: Wednesday, April 09, 2014 6:58 PM To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] Announcing SSSD 1.11.5
On Wed, Apr 09, 2014 at 01:03:38PM +0000, Ondrej Valousek wrote:
Hi Jakub,
Great news, I have questions:
- If we use AD as the sudo provider, does it mean the same ldap schema is expected for sudo rules? If yes, it would mean system admin would have to extend the AD schema to accommodate the SUDO needs, right?
Yes, we expect the same schema as described in http://www.sudo.ws/sudo/sudoers.ldap.man.html
Maybe it would be also helpful to see how I tested the feature and compare that with your environment: https://lists.fedorahosted.org/pipermail/sssd-devel/2014-February/018663.htm...
- Is something similar possible with the autofs provider? I.e. "autofs_provider = ad"?
Yes, but nobody wrote the patch so far. The patch would be nearly trivial, but the big question for me so far was -- what schema is mostly used for automounter maps in AD environments? We need to set some reasonable defaults. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
RFC2307 support comes with Windows Server 2003R2 and newer domain controllers, so unless you have ancient AD, the support is already there. O. ________________________________________ From: sssd-users-bounces@lists.fedorahosted.org [sssd-users-bounces@lists.fedorahosted.org] on behalf of Longina Przybyszewska [longina@sdu.dk] Sent: Wednesday, April 16, 2014 11:22 AM To: 'End-user discussions about the System Security Services Daemon' Subject: Re: [SSSD-users] Announcing SSSD 1.11.5
How can I find out if my AD supports RFC2307 automounter schema?
longina -----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Ondrej Valousek Sent: 10. april 2014 10:28 To: End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] Announcing SSSD 1.11.5
Thanks Jakub,
Is the link to the schema mentioned somewhere? I can not find it on the wiki page of the project. As of the automounter, I would vote for using RFC2307 automounter schema when dealing with the AD. I.e. the following mapping:
ldap_autofs_entry_key = cn ldap_autofs_entry_object_class = nisObject ldap_autofs_entry_value = nisMapEntry ldap_autofs_map_name = nisMapName ldap_autofs_map_object_class = nisMap
The advantage is that: - RFC2307 is still a standard 9albeit bit older than RFC2307bis) - you do not have to extend the AD schema for this (which could be a troublesome operation in many companies)
And besides, I am using this configuration happily for quite some time :) Ondrej
________________________________________ From: sssd-users-bounces@lists.fedorahosted.org [sssd-users-bounces@lists.fedorahosted.org] on behalf of Jakub Hrozek [jhrozek@redhat.com] Sent: Wednesday, April 09, 2014 6:58 PM To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] Announcing SSSD 1.11.5
On Wed, Apr 09, 2014 at 01:03:38PM +0000, Ondrej Valousek wrote:
Hi Jakub,
Great news, I have questions:
- If we use AD as the sudo provider, does it mean the same ldap schema is expected for sudo rules? If yes, it would mean system admin would have to extend the AD schema to accommodate the SUDO needs, right?
Yes, we expect the same schema as described in http://www.sudo.ws/sudo/sudoers.ldap.man.html
Maybe it would be also helpful to see how I tested the feature and compare that with your environment: https://lists.fedorahosted.org/pipermail/sssd-devel/2014-February/018663.htm...
- Is something similar possible with the autofs provider? I.e. "autofs_provider = ad"?
Yes, but nobody wrote the patch so far. The patch would be nearly trivial, but the big question for me so far was -- what schema is mostly used for automounter maps in AD environments? We need to set some reasonable defaults. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Thank you. So what I need is the container in AD to put all automount attributes, and this supposed to be a standard exercise for AD admin?
Longina
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Ondrej Valousek Sent: 17. april 2014 10:47 To: End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] Announcing SSSD 1.11.5
RFC2307 support comes with Windows Server 2003R2 and newer domain controllers, so unless you have ancient AD, the support is already there. O. ________________________________________ From: sssd-users-bounces@lists.fedorahosted.org [sssd-users-bounces@lists.fedorahosted.org] on behalf of Longina Przybyszewska [longina@sdu.dk] Sent: Wednesday, April 16, 2014 11:22 AM To: 'End-user discussions about the System Security Services Daemon' Subject: Re: [SSSD-users] Announcing SSSD 1.11.5
How can I find out if my AD supports RFC2307 automounter schema?
longina -----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Ondrej Valousek Sent: 10. april 2014 10:28 To: End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] Announcing SSSD 1.11.5
Thanks Jakub,
Is the link to the schema mentioned somewhere? I can not find it on the wiki page of the project. As of the automounter, I would vote for using RFC2307 automounter schema when dealing with the AD. I.e. the following mapping:
ldap_autofs_entry_key = cn ldap_autofs_entry_object_class = nisObject ldap_autofs_entry_value = nisMapEntry ldap_autofs_map_name = nisMapName ldap_autofs_map_object_class = nisMap
The advantage is that: - RFC2307 is still a standard 9albeit bit older than RFC2307bis) - you do not have to extend the AD schema for this (which could be a troublesome operation in many companies)
And besides, I am using this configuration happily for quite some time :) Ondrej
________________________________________ From: sssd-users-bounces@lists.fedorahosted.org [sssd-users-bounces@lists.fedorahosted.org] on behalf of Jakub Hrozek [jhrozek@redhat.com] Sent: Wednesday, April 09, 2014 6:58 PM To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] Announcing SSSD 1.11.5
On Wed, Apr 09, 2014 at 01:03:38PM +0000, Ondrej Valousek wrote:
Hi Jakub,
Great news, I have questions:
- If we use AD as the sudo provider, does it mean the same ldap schema is expected for sudo rules? If yes, it would mean system admin would have to extend the AD schema to accommodate the SUDO needs, right?
Yes, we expect the same schema as described in http://www.sudo.ws/sudo/sudoers.ldap.man.html
Maybe it would be also helpful to see how I tested the feature and compare that with your environment: https://lists.fedorahosted.org/pipermail/sssd-devel/2014-February/018663.htm...
- Is something similar possible with the autofs provider? I.e. "autofs_provider = ad"?
Yes, but nobody wrote the patch so far. The patch would be nearly trivial, but the big question for me so far was -- what schema is mostly used for automounter maps in AD environments? We need to set some reasonable defaults. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
Nope. Since standard Windows AD admin does not really care / or knows anything about the Linux automounter ;)
________________________________________ From: sssd-users-bounces@lists.fedorahosted.org [sssd-users-bounces@lists.fedorahosted.org] on behalf of Longina Przybyszewska [longina@sdu.dk] Sent: Friday, April 18, 2014 10:53 AM To: 'End-user discussions about the System Security Services Daemon' Subject: Re: [SSSD-users] Announcing SSSD 1.11.5
Thank you. So what I need is the container in AD to put all automount attributes, and this supposed to be a standard exercise for AD admin?
Longina
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Ondrej Valousek Sent: 17. april 2014 10:47 To: End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] Announcing SSSD 1.11.5
RFC2307 support comes with Windows Server 2003R2 and newer domain controllers, so unless you have ancient AD, the support is already there. O. ________________________________________ From: sssd-users-bounces@lists.fedorahosted.org [sssd-users-bounces@lists.fedorahosted.org] on behalf of Longina Przybyszewska [longina@sdu.dk] Sent: Wednesday, April 16, 2014 11:22 AM To: 'End-user discussions about the System Security Services Daemon' Subject: Re: [SSSD-users] Announcing SSSD 1.11.5
How can I find out if my AD supports RFC2307 automounter schema?
longina -----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Ondrej Valousek Sent: 10. april 2014 10:28 To: End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] Announcing SSSD 1.11.5
Thanks Jakub,
Is the link to the schema mentioned somewhere? I can not find it on the wiki page of the project. As of the automounter, I would vote for using RFC2307 automounter schema when dealing with the AD. I.e. the following mapping:
ldap_autofs_entry_key = cn ldap_autofs_entry_object_class = nisObject ldap_autofs_entry_value = nisMapEntry ldap_autofs_map_name = nisMapName ldap_autofs_map_object_class = nisMap
The advantage is that: - RFC2307 is still a standard 9albeit bit older than RFC2307bis) - you do not have to extend the AD schema for this (which could be a troublesome operation in many companies)
And besides, I am using this configuration happily for quite some time :) Ondrej
________________________________________ From: sssd-users-bounces@lists.fedorahosted.org [sssd-users-bounces@lists.fedorahosted.org] on behalf of Jakub Hrozek [jhrozek@redhat.com] Sent: Wednesday, April 09, 2014 6:58 PM To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] Announcing SSSD 1.11.5
On Wed, Apr 09, 2014 at 01:03:38PM +0000, Ondrej Valousek wrote:
Hi Jakub,
Great news, I have questions:
- If we use AD as the sudo provider, does it mean the same ldap schema is expected for sudo rules? If yes, it would mean system admin would have to extend the AD schema to accommodate the SUDO needs, right?
Yes, we expect the same schema as described in http://www.sudo.ws/sudo/sudoers.ldap.man.html
Maybe it would be also helpful to see how I tested the feature and compare that with your environment: https://lists.fedorahosted.org/pipermail/sssd-devel/2014-February/018663.htm...
- Is something similar possible with the autofs provider? I.e. "autofs_provider = ad"?
Yes, but nobody wrote the patch so far. The patch would be nearly trivial, but the big question for me so far was -- what schema is mostly used for automounter maps in AD environments? We need to set some reasonable defaults. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
<shameless plug> This is why we built the trust functionality in FreeIPA, so you can manage Linux machines with it and let users be managed in AD. This way Linux admin do their thing and Windows admins theirs and they do not have to interact much, let alone need to learn all these strange things of the other platform :-) </shameless plug>
On Fri, 2014-04-18 at 08:53 +0000, Longina Przybyszewska wrote:
Thank you. So what I need is the container in AD to put all automount attributes, and this supposed to be a standard exercise for AD admin?
Longina
-----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Ondrej Valousek Sent: 17. april 2014 10:47 To: End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] Announcing SSSD 1.11.5
RFC2307 support comes with Windows Server 2003R2 and newer domain controllers, so unless you have ancient AD, the support is already there. O. ________________________________________ From: sssd-users-bounces@lists.fedorahosted.org [sssd-users-bounces@lists.fedorahosted.org] on behalf of Longina Przybyszewska [longina@sdu.dk] Sent: Wednesday, April 16, 2014 11:22 AM To: 'End-user discussions about the System Security Services Daemon' Subject: Re: [SSSD-users] Announcing SSSD 1.11.5
How can I find out if my AD supports RFC2307 automounter schema?
longina -----Original Message----- From: sssd-users-bounces@lists.fedorahosted.org [mailto:sssd-users-bounces@lists.fedorahosted.org] On Behalf Of Ondrej Valousek Sent: 10. april 2014 10:28 To: End-user discussions about the System Security Services Daemon Subject: Re: [SSSD-users] Announcing SSSD 1.11.5
Thanks Jakub,
Is the link to the schema mentioned somewhere? I can not find it on the wiki page of the project. As of the automounter, I would vote for using RFC2307 automounter schema when dealing with the AD. I.e. the following mapping:
ldap_autofs_entry_key = cn ldap_autofs_entry_object_class = nisObject ldap_autofs_entry_value = nisMapEntry ldap_autofs_map_name = nisMapName ldap_autofs_map_object_class = nisMap
The advantage is that:
- RFC2307 is still a standard 9albeit bit older than RFC2307bis)
- you do not have to extend the AD schema for this (which could be a troublesome operation in many companies)
And besides, I am using this configuration happily for quite some time :) Ondrej
From: sssd-users-bounces@lists.fedorahosted.org [sssd-users-bounces@lists.fedorahosted.org] on behalf of Jakub Hrozek [jhrozek@redhat.com] Sent: Wednesday, April 09, 2014 6:58 PM To: sssd-users@lists.fedorahosted.org Subject: Re: [SSSD-users] Announcing SSSD 1.11.5
On Wed, Apr 09, 2014 at 01:03:38PM +0000, Ondrej Valousek wrote:
Hi Jakub,
Great news, I have questions:
- If we use AD as the sudo provider, does it mean the same ldap schema is expected for sudo rules? If yes, it would mean system admin would have to extend the AD schema to accommodate the SUDO needs, right?
Yes, we expect the same schema as described in http://www.sudo.ws/sudo/sudoers.ldap.man.html
Maybe it would be also helpful to see how I tested the feature and compare that with your environment: https://lists.fedorahosted.org/pipermail/sssd-devel/2014-February/018663.htm...
- Is something similar possible with the autofs provider? I.e. "autofs_provider = ad"?
Yes, but nobody wrote the patch so far. The patch would be nearly trivial, but the big question for me so far was -- what schema is mostly used for automounter maps in AD environments? We need to set some reasonable defaults. _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users _______________________________________________ sssd-users mailing list sssd-users@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-users
sssd-users@lists.fedorahosted.org