Looking for suggestion on ID mapping.
I need to point to a ID provider over proxy
I have not found a concrete solution or some hint about how to setup a proxy to a ID provider and how sssd can point to that proxy for ID mapping.
All my servers are CentOS 7.
On Wed, Jan 09, 2019 at 12:47:34PM -0500, vadud3@gmail.com wrote:
Looking for suggestion on ID mapping.
I need to point to a ID provider over proxy
I have not found a concrete solution or some hint about how to setup a proxy to a ID provider and how sssd can point to that proxy for ID mapping.
Can you rephrase your question? 'ID provider over proxy' should like you want some more details about SSSD's proxy provider as described in the sssd.conf man page. But this is unrelated to what I associate typically with 'ID mapping'. Please give a bit more details about what you are trying to achieve.
bye, Sumit
All my servers are CentOS 7.
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
On Fri, Jan 11, 2019 at 6:50 AM Sumit Bose sbose@redhat.com wrote:
On Wed, Jan 09, 2019 at 12:47:34PM -0500, vadud3@gmail.com wrote:
Looking for suggestion on ID mapping.
I need to point to a ID provider over proxy
I have not found a concrete solution or some hint about how to setup a proxy to a ID provider and how sssd can point to that proxy for ID
mapping.
Can you rephrase your question? 'ID provider over proxy' should like you want some more details about SSSD's proxy provider as described in the sssd.conf man page. But this is unrelated to what I associate typically with 'ID mapping'. Please give a bit more details about what you are trying to achieve.
I am looking for a ID mapping solution. I do see following providers.
“proxy”: Support a legacy NSS provider.
“local”: SSSD internal provider for local users (DEPRECATED).
“files”: FILES provider. See sssd-files(5) for more information on how to mirror local users and groups into SSSD.
“ldap”: LDAP provider. See sssd-ldap(5) for more information on configuring LDAP.
“ipa”: FreeIPA and Red Hat Enterprise Identity Management provider. See sssd-ipa(5) for more information on configuring FreeIPA.
“ad”: Active Directory provider. See sssd-ad(5) for more information on configuring Active Directory.
I am looking for a suggestion. ad - won't work as we will not be provided Administrator password ldap - won't work as IT says not to use LDAP and use kerberos instead for all things UNIX auth and to use /etc/passwd for id (yikes, we have 100s of servers to manage) files - I am not sure how to have a central files for all accounts local - seems deprecated proxy - I am not sure how to set that up, but seems like easier for a central ID provider?
Please advise
bye, Sumit
All my servers are CentOS 7.
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
Emmm.. Do you need the AD Administrator password? Why?
If you need to join a Linux system to the AD domain you can ask the AD administratoe to do this. Or you can have a service account set up on AD which has the permissions to join to the domain.
On Fri, 11 Jan 2019 at 16:03, vadud3@gmail.com wrote:
On Fri, Jan 11, 2019 at 6:50 AM Sumit Bose sbose@redhat.com wrote:
On Wed, Jan 09, 2019 at 12:47:34PM -0500, vadud3@gmail.com wrote:
Looking for suggestion on ID mapping.
I need to point to a ID provider over proxy
I have not found a concrete solution or some hint about how to setup a proxy to a ID provider and how sssd can point to that proxy for ID
mapping.
Can you rephrase your question? 'ID provider over proxy' should like you want some more details about SSSD's proxy provider as described in the sssd.conf man page. But this is unrelated to what I associate typically with 'ID mapping'. Please give a bit more details about what you are trying to achieve.
I am looking for a ID mapping solution. I do see following providers.
“proxy”: Support a legacy NSS provider. “local”: SSSD internal provider for local users (DEPRECATED). “files”: FILES provider. See sssd-files(5) for more information
on how to mirror local users and groups into SSSD.
“ldap”: LDAP provider. See sssd-ldap(5) for more information on
configuring LDAP.
“ipa”: FreeIPA and Red Hat Enterprise Identity Management
provider. See sssd-ipa(5) for more information on configuring FreeIPA.
“ad”: Active Directory provider. See sssd-ad(5) for more
information on configuring Active Directory.
I am looking for a suggestion. ad - won't work as we will not be provided Administrator password ldap - won't work as IT says not to use LDAP and use kerberos instead for all things UNIX auth and to use /etc/passwd for id (yikes, we have 100s of servers to manage) files - I am not sure how to have a central files for all accounts local - seems deprecated proxy - I am not sure how to set that up, but seems like easier for a central ID provider?
Please advise
bye, Sumit
All my servers are CentOS 7.
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
On Sat, Jan 12, 2019 at 12:22 PM John Hearns hearnsj@googlemail.com wrote:
Emmm.. Do you need the AD Administrator password? Why?
I do not need that. I know that.
If you need to join a Linux system to the AD domain you can ask the AD administratoe to do this. Or you can have a service account set up on AD which has the permissions to join to the domain.
Right, that is what Sumit suggested as well
# realm join -U vadud3 ad.example.net Password for vadud3: See: journalctl REALMD_OPERATION=r10925.4111 realm: Couldn't join realm: Insufficient permissions to join the domain ad.example.net
# journalctl REALMD_OPERATION=r10925.4111 -- Logs begin at Tue 2019-01-15 08:11:19 PST, end at Tue 2019-01-15 11:14:40 PST. -- Jan 15 11:13:24 centos7 realmd[4114]: * Resolving: _ldap._ tcp.ad.example.net Jan 15 11:13:24 centos7 realmd[4114]: * Performing LDAP DSE lookup on: 192.168.1.51 Jan 15 11:13:25 centos7 realmd[4114]: * Successfully discovered: ad.example.net Jan 15 11:13:30 centos7 realmd[4114]: * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net Jan 15 11:13:30 centos7 realmd[4114]: * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.CDOLVZ -U vadud3 ads join ad.example.net Jan 15 11:13:39 centos7 realmd[4114]: Enter vadud3's password: Jan 15 11:13:39 centos7 realmd[4114]: Failed to join domain: User specified does not have administrator privileges Jan 15 11:13:39 centos7 realmd[4114]: ! Insufficient permissions to join the domain ad.example.net
So yes I will need an account with sufficient privilege to join AD
Is there a way to talk to AD over a proxy. For our environment that will reduce number of firewall update request.
On Fri, 11 Jan 2019 at 16:03, vadud3@gmail.com wrote:
On Fri, Jan 11, 2019 at 6:50 AM Sumit Bose sbose@redhat.com wrote:
On Wed, Jan 09, 2019 at 12:47:34PM -0500, vadud3@gmail.com wrote:
Looking for suggestion on ID mapping.
I need to point to a ID provider over proxy
I have not found a concrete solution or some hint about how to setup a proxy to a ID provider and how sssd can point to that proxy for ID
mapping.
Can you rephrase your question? 'ID provider over proxy' should like you want some more details about SSSD's proxy provider as described in the sssd.conf man page. But this is unrelated to what I associate typically with 'ID mapping'. Please give a bit more details about what you are trying to achieve.
I am looking for a ID mapping solution. I do see following providers.
“proxy”: Support a legacy NSS provider. “local”: SSSD internal provider for local users (DEPRECATED). “files”: FILES provider. See sssd-files(5) for more
information on how to mirror local users and groups into SSSD.
“ldap”: LDAP provider. See sssd-ldap(5) for more information
on configuring LDAP.
“ipa”: FreeIPA and Red Hat Enterprise Identity Management
provider. See sssd-ipa(5) for more information on configuring FreeIPA.
“ad”: Active Directory provider. See sssd-ad(5) for more
information on configuring Active Directory.
I am looking for a suggestion. ad - won't work as we will not be provided Administrator password ldap - won't work as IT says not to use LDAP and use kerberos instead for all things UNIX auth and to use /etc/passwd for id (yikes, we have 100s of servers to manage) files - I am not sure how to have a central files for all accounts local - seems deprecated proxy - I am not sure how to set that up, but seems like easier for a central ID provider?
Please advise
bye, Sumit
All my servers are CentOS 7.
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to
sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
On Tue, Jan 15, 2019 at 02:19:33PM -0500, vadud3@gmail.com wrote:
On Sat, Jan 12, 2019 at 12:22 PM John Hearns hearnsj@googlemail.com wrote:
Emmm.. Do you need the AD Administrator password? Why?
I do not need that. I know that.
If you need to join a Linux system to the AD domain you can ask the AD administratoe to do this. Or you can have a service account set up on AD which has the permissions to join to the domain.
Right, that is what Sumit suggested as well
# realm join -U vadud3 ad.example.net Password for vadud3: See: journalctl REALMD_OPERATION=r10925.4111 realm: Couldn't join realm: Insufficient permissions to join the domain ad.example.net
# journalctl REALMD_OPERATION=r10925.4111 -- Logs begin at Tue 2019-01-15 08:11:19 PST, end at Tue 2019-01-15 11:14:40 PST. -- Jan 15 11:13:24 centos7 realmd[4114]: * Resolving: _ldap._ tcp.ad.example.net Jan 15 11:13:24 centos7 realmd[4114]: * Performing LDAP DSE lookup on: 192.168.1.51 Jan 15 11:13:25 centos7 realmd[4114]: * Successfully discovered: ad.example.net Jan 15 11:13:30 centos7 realmd[4114]: * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net Jan 15 11:13:30 centos7 realmd[4114]: * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.CDOLVZ -U vadud3 ads join ad.example.net Jan 15 11:13:39 centos7 realmd[4114]: Enter vadud3's password: Jan 15 11:13:39 centos7 realmd[4114]: Failed to join domain: User specified does not have administrator privileges Jan 15 11:13:39 centos7 realmd[4114]: ! Insufficient permissions to join the domain ad.example.net
So yes I will need an account with sufficient privilege to join AD
Is there a way to talk to AD over a proxy. For our environment that will reduce number of firewall update request.
I think you typically use read-only domain controllers (RODC) in a network segment where the clients are for this.
HTH
bye, Sumit
On Fri, 11 Jan 2019 at 16:03, vadud3@gmail.com wrote:
On Fri, Jan 11, 2019 at 6:50 AM Sumit Bose sbose@redhat.com wrote:
On Wed, Jan 09, 2019 at 12:47:34PM -0500, vadud3@gmail.com wrote:
Looking for suggestion on ID mapping.
I need to point to a ID provider over proxy
I have not found a concrete solution or some hint about how to setup a proxy to a ID provider and how sssd can point to that proxy for ID
mapping.
Can you rephrase your question? 'ID provider over proxy' should like you want some more details about SSSD's proxy provider as described in the sssd.conf man page. But this is unrelated to what I associate typically with 'ID mapping'. Please give a bit more details about what you are trying to achieve.
I am looking for a ID mapping solution. I do see following providers.
“proxy”: Support a legacy NSS provider. “local”: SSSD internal provider for local users (DEPRECATED). “files”: FILES provider. See sssd-files(5) for more
information on how to mirror local users and groups into SSSD.
“ldap”: LDAP provider. See sssd-ldap(5) for more information
on configuring LDAP.
“ipa”: FreeIPA and Red Hat Enterprise Identity Management
provider. See sssd-ipa(5) for more information on configuring FreeIPA.
“ad”: Active Directory provider. See sssd-ad(5) for more
information on configuring Active Directory.
I am looking for a suggestion. ad - won't work as we will not be provided Administrator password ldap - won't work as IT says not to use LDAP and use kerberos instead for all things UNIX auth and to use /etc/passwd for id (yikes, we have 100s of servers to manage) files - I am not sure how to have a central files for all accounts local - seems deprecated proxy - I am not sure how to set that up, but seems like easier for a central ID provider?
Please advise
bye, Sumit
All my servers are CentOS 7.
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to
sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
Sumit,
IT decides they won't let Linux server to join their domain.
They offered another service/API for UID/GID lookup.
Is there another way SSSD can do ID mapping and may be consume this other service for UID/GID ? Every employee has a unique UID/GID in that service.
On Wed, Jan 16, 2019 at 2:21 AM Sumit Bose sbose@redhat.com wrote:
On Tue, Jan 15, 2019 at 02:19:33PM -0500, vadud3@gmail.com wrote:
On Sat, Jan 12, 2019 at 12:22 PM John Hearns hearnsj@googlemail.com
wrote:
Emmm.. Do you need the AD Administrator password? Why?
I do not need that. I know that.
If you need to join a Linux system to the AD domain you can ask the AD administratoe to do this. Or you can have a service account set up on AD which has the
permissions
to join to the domain.
Right, that is what Sumit suggested as well
# realm join -U vadud3 ad.example.net Password for vadud3: See: journalctl REALMD_OPERATION=r10925.4111 realm: Couldn't join realm: Insufficient permissions to join the domain ad.example.net
# journalctl REALMD_OPERATION=r10925.4111 -- Logs begin at Tue 2019-01-15 08:11:19 PST, end at Tue 2019-01-15 11:14:40 PST. -- Jan 15 11:13:24 centos7 realmd[4114]: * Resolving: _ldap._ tcp.ad.example.net Jan 15 11:13:24 centos7 realmd[4114]: * Performing LDAP DSE lookup on: 192.168.1.51 Jan 15 11:13:25 centos7 realmd[4114]: * Successfully discovered: ad.example.net Jan 15 11:13:30 centos7 realmd[4114]: * Required files:
/usr/sbin/oddjobd,
/usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net Jan 15 11:13:30 centos7 realmd[4114]: * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.CDOLVZ -U vadud3 ads join ad.example.net Jan 15 11:13:39 centos7 realmd[4114]: Enter vadud3's password: Jan 15 11:13:39 centos7 realmd[4114]: Failed to join domain: User
specified
does not have administrator privileges Jan 15 11:13:39 centos7 realmd[4114]: ! Insufficient permissions to join the domain ad.example.net
So yes I will need an account with sufficient privilege to join AD
Is there a way to talk to AD over a proxy. For our environment that will reduce number of firewall update request.
I think you typically use read-only domain controllers (RODC) in a network segment where the clients are for this.
HTH
bye, Sumit
On Fri, 11 Jan 2019 at 16:03, vadud3@gmail.com wrote:
On Fri, Jan 11, 2019 at 6:50 AM Sumit Bose sbose@redhat.com wrote:
On Wed, Jan 09, 2019 at 12:47:34PM -0500, vadud3@gmail.com wrote:
Looking for suggestion on ID mapping.
I need to point to a ID provider over proxy
I have not found a concrete solution or some hint about how to
setup a
proxy to a ID provider and how sssd can point to that proxy for ID
mapping.
Can you rephrase your question? 'ID provider over proxy' should like
you
want some more details about SSSD's proxy provider as described in
the
sssd.conf man page. But this is unrelated to what I associate
typically
with 'ID mapping'. Please give a bit more details about what you are trying to achieve.
I am looking for a ID mapping solution. I do see following providers.
“proxy”: Support a legacy NSS provider. “local”: SSSD internal provider for local users
(DEPRECATED).
“files”: FILES provider. See sssd-files(5) for more
information on how to mirror local users and groups into SSSD.
“ldap”: LDAP provider. See sssd-ldap(5) for more
information
on configuring LDAP.
“ipa”: FreeIPA and Red Hat Enterprise Identity Management
provider. See sssd-ipa(5) for more information on configuring FreeIPA.
“ad”: Active Directory provider. See sssd-ad(5) for more
information on configuring Active Directory.
I am looking for a suggestion. ad - won't work as we will not be provided Administrator password ldap - won't work as IT says not to use LDAP and use
kerberos
instead for all things UNIX auth and to use /etc/passwd for id (yikes, we have 100s
of
servers to manage) files - I am not sure how to have a central files for all accounts local - seems deprecated proxy - I am not sure how to set that up, but seems like easier for a central ID provider?
Please advise
bye, Sumit
All my servers are CentOS 7.
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read
text.
Q: Why is top-posting such a bad thing?
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to
sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to
sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to
sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to
sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
On Wed, Jan 23, 2019 at 03:21:04PM -0500, vadud3@gmail.com wrote:
Sumit,
IT decides they won't let Linux server to join their domain.
They offered another service/API for UID/GID lookup.
Is there another way SSSD can do ID mapping and may be consume this other service for UID/GID ? Every employee has a unique UID/GID in that service.
What kind of service/API is it?
bye, Sumit
On Wed, Jan 16, 2019 at 2:21 AM Sumit Bose sbose@redhat.com wrote:
On Tue, Jan 15, 2019 at 02:19:33PM -0500, vadud3@gmail.com wrote:
On Sat, Jan 12, 2019 at 12:22 PM John Hearns hearnsj@googlemail.com
wrote:
Emmm.. Do you need the AD Administrator password? Why?
I do not need that. I know that.
If you need to join a Linux system to the AD domain you can ask the AD administratoe to do this. Or you can have a service account set up on AD which has the
permissions
to join to the domain.
Right, that is what Sumit suggested as well
# realm join -U vadud3 ad.example.net Password for vadud3: See: journalctl REALMD_OPERATION=r10925.4111 realm: Couldn't join realm: Insufficient permissions to join the domain ad.example.net
# journalctl REALMD_OPERATION=r10925.4111 -- Logs begin at Tue 2019-01-15 08:11:19 PST, end at Tue 2019-01-15 11:14:40 PST. -- Jan 15 11:13:24 centos7 realmd[4114]: * Resolving: _ldap._ tcp.ad.example.net Jan 15 11:13:24 centos7 realmd[4114]: * Performing LDAP DSE lookup on: 192.168.1.51 Jan 15 11:13:25 centos7 realmd[4114]: * Successfully discovered: ad.example.net Jan 15 11:13:30 centos7 realmd[4114]: * Required files:
/usr/sbin/oddjobd,
/usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net Jan 15 11:13:30 centos7 realmd[4114]: * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.CDOLVZ -U vadud3 ads join ad.example.net Jan 15 11:13:39 centos7 realmd[4114]: Enter vadud3's password: Jan 15 11:13:39 centos7 realmd[4114]: Failed to join domain: User
specified
does not have administrator privileges Jan 15 11:13:39 centos7 realmd[4114]: ! Insufficient permissions to join the domain ad.example.net
So yes I will need an account with sufficient privilege to join AD
Is there a way to talk to AD over a proxy. For our environment that will reduce number of firewall update request.
I think you typically use read-only domain controllers (RODC) in a network segment where the clients are for this.
HTH
bye, Sumit
On Fri, 11 Jan 2019 at 16:03, vadud3@gmail.com wrote:
On Fri, Jan 11, 2019 at 6:50 AM Sumit Bose sbose@redhat.com wrote:
On Wed, Jan 09, 2019 at 12:47:34PM -0500, vadud3@gmail.com wrote: > Looking for suggestion on ID mapping. > > I need to point to a ID provider over proxy > > I have not found a concrete solution or some hint about how to
setup a
> proxy to a ID provider and how sssd can point to that proxy for ID mapping.
Can you rephrase your question? 'ID provider over proxy' should like
you
want some more details about SSSD's proxy provider as described in
the
sssd.conf man page. But this is unrelated to what I associate
typically
with 'ID mapping'. Please give a bit more details about what you are trying to achieve.
I am looking for a ID mapping solution. I do see following providers.
“proxy”: Support a legacy NSS provider. “local”: SSSD internal provider for local users
(DEPRECATED).
“files”: FILES provider. See sssd-files(5) for more
information on how to mirror local users and groups into SSSD.
“ldap”: LDAP provider. See sssd-ldap(5) for more
information
on configuring LDAP.
“ipa”: FreeIPA and Red Hat Enterprise Identity Management
provider. See sssd-ipa(5) for more information on configuring FreeIPA.
“ad”: Active Directory provider. See sssd-ad(5) for more
information on configuring Active Directory.
I am looking for a suggestion. ad - won't work as we will not be provided Administrator password ldap - won't work as IT says not to use LDAP and use
kerberos
instead for all things UNIX auth and to use /etc/passwd for id (yikes, we have 100s
of
servers to manage) files - I am not sure how to have a central files for all accounts local - seems deprecated proxy - I am not sure how to set that up, but seems like easier for a central ID provider?
Please advise
bye, Sumit
> > All my servers are CentOS 7. > > > -- > Asif Iqbal > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > A: Because it messes up the order in which people normally read
text.
> Q: Why is top-posting such a bad thing?
> _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to
sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to
sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to
sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
On Thu, Jan 24, 2019 at 2:15 AM Sumit Bose sbose@redhat.com wrote:
On Wed, Jan 23, 2019 at 03:21:04PM -0500, vadud3@gmail.com wrote:
Sumit,
IT decides they won't let Linux server to join their domain.
They offered another service/API for UID/GID lookup.
Is there another way SSSD can do ID mapping and may be consume this other service for UID/GID ? Every employee has a unique UID/GID in that
service.
What kind of service/API is it?
I am still for an answer from IT. But I went to their resource and did a lookup over browser for a cuid and it gave me back a table with a unique UID and GID
If I can consume that through an API and query username and get UID/GID, is there a SSSD can make the same call to generate UID/GID for linux?
bye, Sumit
On Wed, Jan 16, 2019 at 2:21 AM Sumit Bose sbose@redhat.com wrote:
On Tue, Jan 15, 2019 at 02:19:33PM -0500, vadud3@gmail.com wrote:
On Sat, Jan 12, 2019 at 12:22 PM John Hearns <hearnsj@googlemail.com
wrote:
Emmm.. Do you need the AD Administrator password? Why?
I do not need that. I know that.
If you need to join a Linux system to the AD domain you can ask
the AD
administratoe to do this. Or you can have a service account set up on AD which has the
permissions
to join to the domain.
Right, that is what Sumit suggested as well
# realm join -U vadud3 ad.example.net Password for vadud3: See: journalctl REALMD_OPERATION=r10925.4111 realm: Couldn't join realm: Insufficient permissions to join the
domain
ad.example.net
# journalctl REALMD_OPERATION=r10925.4111 -- Logs begin at Tue 2019-01-15 08:11:19 PST, end at Tue 2019-01-15 11:14:40 PST. -- Jan 15 11:13:24 centos7 realmd[4114]: * Resolving: _ldap._ tcp.ad.example.net Jan 15 11:13:24 centos7 realmd[4114]: * Performing LDAP DSE lookup
on:
192.168.1.51 Jan 15 11:13:25 centos7 realmd[4114]: * Successfully discovered: ad.example.net Jan 15 11:13:30 centos7 realmd[4114]: * Required files:
/usr/sbin/oddjobd,
/usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net Jan 15 11:13:30 centos7 realmd[4114]: * LANG=C LOGNAME=root
/usr/bin/net
-s /var/cache/realmd/realmd-smb-conf.CDOLVZ -U vadud3 ads join ad.example.net Jan 15 11:13:39 centos7 realmd[4114]: Enter vadud3's password: Jan 15 11:13:39 centos7 realmd[4114]: Failed to join domain: User
specified
does not have administrator privileges Jan 15 11:13:39 centos7 realmd[4114]: ! Insufficient permissions to
join
the domain ad.example.net
So yes I will need an account with sufficient privilege to join AD
Is there a way to talk to AD over a proxy. For our environment that
will
reduce number of firewall update request.
I think you typically use read-only domain controllers (RODC) in a network segment where the clients are for this.
HTH
bye, Sumit
On Fri, 11 Jan 2019 at 16:03, vadud3@gmail.com wrote:
On Fri, Jan 11, 2019 at 6:50 AM Sumit Bose sbose@redhat.com
wrote:
> On Wed, Jan 09, 2019 at 12:47:34PM -0500, vadud3@gmail.com
wrote:
> > Looking for suggestion on ID mapping. > > > > I need to point to a ID provider over proxy > > > > I have not found a concrete solution or some hint about how to
setup a
> > proxy to a ID provider and how sssd can point to that proxy
for ID
> mapping. > > Can you rephrase your question? 'ID provider over proxy' should
like
you
> want some more details about SSSD's proxy provider as described
in
the
> sssd.conf man page. But this is unrelated to what I associate
typically
> with 'ID mapping'. Please give a bit more details about what you
are
> trying to achieve. > > I am looking for a ID mapping solution. I do see following
providers.
“proxy”: Support a legacy NSS provider. “local”: SSSD internal provider for local users
(DEPRECATED).
“files”: FILES provider. See sssd-files(5) for more
information on how to mirror local users and groups into SSSD.
“ldap”: LDAP provider. See sssd-ldap(5) for more
information
on configuring LDAP.
“ipa”: FreeIPA and Red Hat Enterprise Identity
Management
provider. See sssd-ipa(5) for more information on configuring FreeIPA.
“ad”: Active Directory provider. See sssd-ad(5) for
more
information on configuring Active Directory.
I am looking for a suggestion. ad - won't work as we will not be provided
Administrator
password ldap - won't work as IT says not to use LDAP and use
kerberos
instead for all things UNIX auth and to use /etc/passwd for id (yikes, we have
100s
of
servers to manage) files - I am not sure how to have a central files for
all
accounts local - seems deprecated proxy - I am not sure how to set that up, but seems
like
easier for a central ID provider?
Please advise
> bye, > Sumit > > > > > All my servers are CentOS 7. > > > > > > -- > > Asif Iqbal > > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > > A: Because it messes up the order in which people normally read
text.
> > Q: Why is top-posting such a bad thing? > > > _______________________________________________ > > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > > To unsubscribe send an email to > sssd-users-leave@lists.fedorahosted.org > > Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: >
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
> _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to
sssd-users-leave@lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: >
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
>
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read
text.
Q: Why is top-posting such a bad thing?
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to
sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to
sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to
sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to
sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
On Thu, Jan 24, 2019 at 12:39:12PM -0500, vadud3@gmail.com wrote:
On Thu, Jan 24, 2019 at 2:15 AM Sumit Bose sbose@redhat.com wrote:
On Wed, Jan 23, 2019 at 03:21:04PM -0500, vadud3@gmail.com wrote:
Sumit,
IT decides they won't let Linux server to join their domain.
They offered another service/API for UID/GID lookup.
Is there another way SSSD can do ID mapping and may be consume this other service for UID/GID ? Every employee has a unique UID/GID in that
service.
What kind of service/API is it?
I am still for an answer from IT. But I went to their resource and did a lookup over browser for a cuid and it gave me back a table with a unique UID and GID
If I can consume that through an API and query username and get UID/GID, is there a SSSD can make the same call to generate UID/GID for linux?
This sounds a bit like a HTTP based API, maybe REST? However, SSSD currently does not support this type of lookups, a new backend would be needed for this.
What would be possible is the read the UIDs and GIDs of all required users and groups and use sss_override (see man sss_override for details) to add the UIDs and GIDs directly into SSSD's cache. Unfortunately this has to be done on every client and if there are new users or groups you have to add them with sss_override as well.
bye, Sumit
bye, Sumit
On Wed, Jan 16, 2019 at 2:21 AM Sumit Bose sbose@redhat.com wrote:
On Tue, Jan 15, 2019 at 02:19:33PM -0500, vadud3@gmail.com wrote:
On Sat, Jan 12, 2019 at 12:22 PM John Hearns <hearnsj@googlemail.com
wrote:
Emmm.. Do you need the AD Administrator password? Why?
I do not need that. I know that.
If you need to join a Linux system to the AD domain you can ask
the AD
administratoe to do this. Or you can have a service account set up on AD which has the
permissions
to join to the domain.
Right, that is what Sumit suggested as well
# realm join -U vadud3 ad.example.net Password for vadud3: See: journalctl REALMD_OPERATION=r10925.4111 realm: Couldn't join realm: Insufficient permissions to join the
domain
ad.example.net
# journalctl REALMD_OPERATION=r10925.4111 -- Logs begin at Tue 2019-01-15 08:11:19 PST, end at Tue 2019-01-15 11:14:40 PST. -- Jan 15 11:13:24 centos7 realmd[4114]: * Resolving: _ldap._ tcp.ad.example.net Jan 15 11:13:24 centos7 realmd[4114]: * Performing LDAP DSE lookup
on:
192.168.1.51 Jan 15 11:13:25 centos7 realmd[4114]: * Successfully discovered: ad.example.net Jan 15 11:13:30 centos7 realmd[4114]: * Required files:
/usr/sbin/oddjobd,
/usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net Jan 15 11:13:30 centos7 realmd[4114]: * LANG=C LOGNAME=root
/usr/bin/net
-s /var/cache/realmd/realmd-smb-conf.CDOLVZ -U vadud3 ads join ad.example.net Jan 15 11:13:39 centos7 realmd[4114]: Enter vadud3's password: Jan 15 11:13:39 centos7 realmd[4114]: Failed to join domain: User
specified
does not have administrator privileges Jan 15 11:13:39 centos7 realmd[4114]: ! Insufficient permissions to
join
the domain ad.example.net
So yes I will need an account with sufficient privilege to join AD
Is there a way to talk to AD over a proxy. For our environment that
will
reduce number of firewall update request.
I think you typically use read-only domain controllers (RODC) in a network segment where the clients are for this.
HTH
bye, Sumit
On Fri, 11 Jan 2019 at 16:03, vadud3@gmail.com wrote:
> > > On Fri, Jan 11, 2019 at 6:50 AM Sumit Bose sbose@redhat.com
wrote:
> >> On Wed, Jan 09, 2019 at 12:47:34PM -0500, vadud3@gmail.com
wrote:
>> > Looking for suggestion on ID mapping. >> > >> > I need to point to a ID provider over proxy >> > >> > I have not found a concrete solution or some hint about how to
setup a
>> > proxy to a ID provider and how sssd can point to that proxy
for ID
>> mapping. >> >> Can you rephrase your question? 'ID provider over proxy' should
like
you
>> want some more details about SSSD's proxy provider as described
in
the
>> sssd.conf man page. But this is unrelated to what I associate
typically
>> with 'ID mapping'. Please give a bit more details about what you
are
>> trying to achieve. >> >> > I am looking for a ID mapping solution. I do see following
providers.
> > “proxy”: Support a legacy NSS provider. > > “local”: SSSD internal provider for local users
(DEPRECATED).
> > “files”: FILES provider. See sssd-files(5) for more > information on how to mirror local users and groups into SSSD. > > “ldap”: LDAP provider. See sssd-ldap(5) for more
information
> on configuring LDAP. > > “ipa”: FreeIPA and Red Hat Enterprise Identity
Management
> provider. See sssd-ipa(5) for more information on > configuring FreeIPA. > > “ad”: Active Directory provider. See sssd-ad(5) for
more
> information on configuring Active Directory. > > I am looking for a suggestion. > ad - won't work as we will not be provided
Administrator
> password > ldap - won't work as IT says not to use LDAP and use
kerberos
> instead for all things UNIX auth > and to use /etc/passwd for id (yikes, we have
100s
of
> servers to manage) > files - I am not sure how to have a central files for
all
> accounts > local - seems deprecated > proxy - I am not sure how to set that up, but seems
like
> easier for a central ID provider? > > Please advise > > > > > > > >> bye, >> Sumit >> >> > >> > All my servers are CentOS 7. >> > >> > >> > -- >> > Asif Iqbal >> > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu >> > A: Because it messes up the order in which people normally read
text.
>> > Q: Why is top-posting such a bad thing? >> >> > _______________________________________________ >> > sssd-users mailing list -- sssd-users@lists.fedorahosted.org >> > To unsubscribe send an email to >> sssd-users-leave@lists.fedorahosted.org >> > Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
>> > List Guidelines: >> https://fedoraproject.org/wiki/Mailing_list_guidelines >> > List Archives: >>
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
>> _______________________________________________ >> sssd-users mailing list -- sssd-users@lists.fedorahosted.org >> To unsubscribe send an email to
sssd-users-leave@lists.fedorahosted.org
>> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives: >>
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
>> > > > -- > Asif Iqbal > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > A: Because it messes up the order in which people normally read
text.
> Q: Why is top-posting such a bad thing? > > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to
sssd-users-leave@lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: >
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
> _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to
sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to
sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to
sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
On Fri, Jan 11, 2019 at 11:03:12AM -0500, vadud3@gmail.com wrote:
On Fri, Jan 11, 2019 at 6:50 AM Sumit Bose sbose@redhat.com wrote:
On Wed, Jan 09, 2019 at 12:47:34PM -0500, vadud3@gmail.com wrote:
Looking for suggestion on ID mapping.
I need to point to a ID provider over proxy
I have not found a concrete solution or some hint about how to setup a proxy to a ID provider and how sssd can point to that proxy for ID
mapping.
Can you rephrase your question? 'ID provider over proxy' should like you want some more details about SSSD's proxy provider as described in the sssd.conf man page. But this is unrelated to what I associate typically with 'ID mapping'. Please give a bit more details about what you are trying to achieve.
I am looking for a ID mapping solution. I do see following providers.
“proxy”: Support a legacy NSS provider. “local”: SSSD internal provider for local users (DEPRECATED). “files”: FILES provider. See sssd-files(5) for more information
on how to mirror local users and groups into SSSD.
“ldap”: LDAP provider. See sssd-ldap(5) for more information on
configuring LDAP.
“ipa”: FreeIPA and Red Hat Enterprise Identity Management
provider. See sssd-ipa(5) for more information on configuring FreeIPA.
“ad”: Active Directory provider. See sssd-ad(5) for more
information on configuring Active Directory.
I am looking for a suggestion. ad - won't work as we will not be provided Administrator password
If the data for all users and groups is stored in AD this would be the most recommended provider. You do not need the Administrator password for SSSD to operate but a "normal" account which can read user and group data is sufficient. Typically this is machine account which is created when you join the Linux host to the AD domain.
If you use realmd for joining the domain realmd will create a basic SSSD configuration automatically.
To join a domain you do not need the Administrator account either. Please check the AD documentation how to assign privileges to a "normal" account so that it can be use to join machines,
ldap - won't work as IT says not to use LDAP and use kerberos
instead for all things UNIX auth
You can use 'auth_provider = krb5' with 'id_provider = ldap'
and to use /etc/passwd for id (yikes, we have 100s of
servers to manage) files - I am not sure how to have a central files for all accounts local - seems deprecated proxy - I am not sure how to set that up, but seems like easier for a central ID provider?
It depends what your central ID provider is and if there already is an nss module for this provider. If your central ID provider is AD please see my comments there.
HTH
bye, Sumit
Please advise
bye, Sumit
All my servers are CentOS 7.
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
On Fri, Jan 11, 2019 at 12:24 PM Sumit Bose sbose@redhat.com wrote:
On Fri, Jan 11, 2019 at 11:03:12AM -0500, vadud3@gmail.com wrote:
On Fri, Jan 11, 2019 at 6:50 AM Sumit Bose sbose@redhat.com wrote:
On Wed, Jan 09, 2019 at 12:47:34PM -0500, vadud3@gmail.com wrote:
Looking for suggestion on ID mapping.
I need to point to a ID provider over proxy
I have not found a concrete solution or some hint about how to setup
a
proxy to a ID provider and how sssd can point to that proxy for ID
mapping.
Can you rephrase your question? 'ID provider over proxy' should like
you
want some more details about SSSD's proxy provider as described in the sssd.conf man page. But this is unrelated to what I associate typically with 'ID mapping'. Please give a bit more details about what you are trying to achieve.
I am looking for a ID mapping solution. I do see following providers.
“proxy”: Support a legacy NSS provider. “local”: SSSD internal provider for local users (DEPRECATED). “files”: FILES provider. See sssd-files(5) for more
information
on how to mirror local users and groups into SSSD.
“ldap”: LDAP provider. See sssd-ldap(5) for more information
on
configuring LDAP.
“ipa”: FreeIPA and Red Hat Enterprise Identity Management
provider. See sssd-ipa(5) for more information on configuring FreeIPA.
“ad”: Active Directory provider. See sssd-ad(5) for more
information on configuring Active Directory.
I am looking for a suggestion. ad - won't work as we will not be provided Administrator
password
If the data for all users and groups is stored in AD this would be the most recommended provider. You do not need the Administrator password for SSSD to operate but a "normal" account which can read user and group data is sufficient. Typically this is machine account which is created when you join the Linux host to the AD domain.
I will check it out Monday at work. But I do remember trying to join with realmd and it was asking for Administrator password. I also tried with -U <mycuid> and it did not let me join.
I have to see if IT is willing to provide us a "machine account" to join our Linux servers
if that is a success that AD SID will automatically used to generate UID/GID, I think, correct?
Assuming AD can be used as auth and id provider, then I will need to find a solution to setup a proxy to AD, so all my 100+ servers do not need to setup with firewall and manage access. This last piece deserves a separate new email, so not looking for an answer for this.
Appreciate your help!
If you use realmd for joining the domain realmd will create a basic SSSD configuration automatically.
To join a domain you do not need the Administrator account either. Please check the AD documentation how to assign privileges to a "normal" account so that it can be use to join machines,
ldap - won't work as IT says not to use LDAP and use kerberos
instead for all things UNIX auth
You can use 'auth_provider = krb5' with 'id_provider = ldap'
and to use /etc/passwd for id (yikes, we have 100s of
servers to manage) files - I am not sure how to have a central files for all accounts local - seems deprecated proxy - I am not sure how to set that up, but seems like
easier
for a central ID provider?
It depends what your central ID provider is and if there already is an nss module for this provider. If your central ID provider is AD please see my comments there.
HTH
bye, Sumit
Please advise
bye, Sumit
All my servers are CentOS 7.
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to
sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to
sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
On Fri, Jan 11, 2019 at 08:11:52PM -0500, vadud3@gmail.com wrote:
On Fri, Jan 11, 2019 at 12:24 PM Sumit Bose sbose@redhat.com wrote:
On Fri, Jan 11, 2019 at 11:03:12AM -0500, vadud3@gmail.com wrote:
On Fri, Jan 11, 2019 at 6:50 AM Sumit Bose sbose@redhat.com wrote:
On Wed, Jan 09, 2019 at 12:47:34PM -0500, vadud3@gmail.com wrote:
Looking for suggestion on ID mapping.
I need to point to a ID provider over proxy
I have not found a concrete solution or some hint about how to setup
a
proxy to a ID provider and how sssd can point to that proxy for ID
mapping.
Can you rephrase your question? 'ID provider over proxy' should like
you
want some more details about SSSD's proxy provider as described in the sssd.conf man page. But this is unrelated to what I associate typically with 'ID mapping'. Please give a bit more details about what you are trying to achieve.
I am looking for a ID mapping solution. I do see following providers.
“proxy”: Support a legacy NSS provider. “local”: SSSD internal provider for local users (DEPRECATED). “files”: FILES provider. See sssd-files(5) for more
information
on how to mirror local users and groups into SSSD.
“ldap”: LDAP provider. See sssd-ldap(5) for more information
on
configuring LDAP.
“ipa”: FreeIPA and Red Hat Enterprise Identity Management
provider. See sssd-ipa(5) for more information on configuring FreeIPA.
“ad”: Active Directory provider. See sssd-ad(5) for more
information on configuring Active Directory.
I am looking for a suggestion. ad - won't work as we will not be provided Administrator
password
If the data for all users and groups is stored in AD this would be the most recommended provider. You do not need the Administrator password for SSSD to operate but a "normal" account which can read user and group data is sufficient. Typically this is machine account which is created when you join the Linux host to the AD domain.
I will check it out Monday at work. But I do remember trying to join with realmd and it was asking for Administrator password. I also tried with -U <mycuid> and it did not let me join.
Yes, a typical user account does not have the rights to join. Please have a look at https://blogs.technet.microsoft.com/dubaisec/2016/02/01/who-can-add-workstat... especially the Delegation section.
I have to see if IT is willing to provide us a "machine account" to join our Linux servers
Strictly speaking the 'machine account' is created during the join what you need is an accoutn with the needed privileges to join a machine.
It is also possible to pre-create the machine account with a known one-time password, see https://web.archive.org/web/20180310222447/http://stef.thewalter.net/how-to-... (the original site is currently not available).
if that is a success that AD SID will automatically used to generate UID/GID, I think, correct?
yes
Assuming AD can be used as auth and id provider, then I will need to find a solution to setup a proxy to AD, so all my 100+ servers do not need to setup with firewall and manage access. This last piece deserves a separate new email, so not looking for an answer for this.
Appreciate your help!
yw
bye, Sumit
If you use realmd for joining the domain realmd will create a basic SSSD configuration automatically.
To join a domain you do not need the Administrator account either. Please check the AD documentation how to assign privileges to a "normal" account so that it can be use to join machines,
ldap - won't work as IT says not to use LDAP and use kerberos
instead for all things UNIX auth
You can use 'auth_provider = krb5' with 'id_provider = ldap'
and to use /etc/passwd for id (yikes, we have 100s of
servers to manage) files - I am not sure how to have a central files for all accounts local - seems deprecated proxy - I am not sure how to set that up, but seems like
easier
for a central ID provider?
It depends what your central ID provider is and if there already is an nss module for this provider. If your central ID provider is AD please see my comments there.
HTH
bye, Sumit
Please advise
bye, Sumit
All my servers are CentOS 7.
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to
sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to
sssd-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
-- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users@lists.fedorahosted.org