Re: raising domain functional level and best source for CentOS 6/7 domain authentication
On Fri, Mar 08, 2019 at 07:25:59PM +0000, Mike Hughes wrote:
Hi SSSD Users list,
Our AD domain is functional level '03 and it's about time we upgrade. We have a little over twenty CentOS (vers. 5, 6 & 7) development servers which use AD for ssh authentication and shared samba mounts. The best info I found regarding this upgrade's impact on Linux shares & authentication is this article from Centrify [1] which mentions that the smb service might have to be restarted.
I also have not found a working reliable source for the best method to join additional CentOS servers to the domain. Right now we're using a mix of samba and winbind for centos 5/6 [2] and sssd for centos 7 [3]. My ignorance around Kerberos is vast and wonder if/how that might play a role in this.
We did notice that with the standard sssd setup, our UID and GIDs were different so we set: --automatic-id-mapping=no and then set the values for each user object manually within ADUC --> Attribute Editor --> gidNumber and uidNumber to match what they reported from a CentOS 6 machine's "id user" command.
I'm increasingly anxious about raising the functional level since it is a one-way process with no rollback option. What are the best sources of information for managing AD integration?
Hi,
from the SSSD point of view there should not be an issue. The two main point which are also mentioned in [1] are support of AES in the Kerberos level and SID compression in the PAC.
Since you are using SSSD on CentOS7 SSSD and the underlying Kerberos libraries can handle AES. Additionally afaik changing the functional level only enable AES support but does not enforce it automatically. So the clients will keep using the old RC4 or DES3 keys from the keytab on the client. Nevertheless it might be a good idea after the upgrade of the functional level to re-join the client systems or update the keytab by other means so that the more secure AES keys can be used.
SSSD can use the PAC to determine the group-memberships of a user. Since some time SSSD can handle SID compression as well (https://pagure.io/SSSD/sssd/issue/3767) but by default other means to determine the group-memberships of a user are used. And even if you have the PAC responder running and cannot update to SSSD-1.16.3 or higher you can still disable the PAC responder.
I cannot comment on how Samba and Winbind especially the older versions from CentOS 5 and 6 might be affected.
HTH
bye, Sumit
Thank you! Mike
[1] https://community.centrify.com/t5/TechBlog/Basics-Understanding-how-Active-D... [2] https://www.server-world.info/en/note?os=CentOS_6&p=samba&f=7 [3] https://www.server-world.info/en/note?os=CentOS_7&p=realmd
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
From: Sumit Bose sbose@redhat.com I cannot comment on how Samba and Winbind especially the older versions from CentOS 5 and 6 might be affected.
Thank you for the information regarding SID compression Sumit. I'll keep an eye on that.
What are the best sources of information for managing AD integration?
Asking this one again because we're experiencing inconsistent problems with our current AD joining solutions. Does anyone want to share their go-to wiki or best-practice regarding joining CentOS 6/7 to AD? Thanks, Mike
sssd-users@lists.fedorahosted.org
-
Mike Hughes -
Sumit Bose