We have nested groups and the GPO evaluation properly unrolls them for deep group membership evaluation. SSSD has come a long ways in the last three years. The developers are very responsive.
Walter -- Walter Rowe, Division Chief Infrastructure Services, OISM Mobile: 202.355.4123 On Nov 16, 2022, at 12:37 AM, David Logan <[email protected]<mailto:[email protected]>> wrote: I had issues with sssd and nested groups, basically it didn't work with nesting. This was some time ago so it may have been resolved. We have multiple domains and members from one or more that need to authenticate to a server so PowerBroker worked for us at the time and still does. On Wed, 16 Nov 2022 at 11:05, Todd Lewis <[email protected]<mailto:[email protected]>> wrote: Interesting. None of that has been our experience, but then we only have about 45,000 people in our AD. On 11/15/22 8:17 PM, Nico Kadel-Garcia wrote: On Tue, Nov 15, 2022 at 7:17 AM 'Rowe, Walter P. (Fed)' via Ansible Project <[email protected]><mailto:[email protected]> wrote: Look at SSSD for joining your Linux machine to AD. We use it and find it very reliable. It also enables use of smart card for SSH logins if your public keys are populated in your AD user objects if you work in an environment that requires smart card login (2-factor). sssd has a lot of configuration issues and some very performance issues. It works best with FreeIPA rather than Active Directory: it's basically a Samba core with a FreeIPA body bolted on top of it, and it does not scale to large AD environments. (Its insistence on pre-caching the *entire* LDAP of the AD server and crashing if it times out on that pre-load, is deadly for bulky, remote environments.) For a very simple AD setup, it can work well. Be aware that it will transform account names like "nkadel" in the "example.com<https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fexample.com%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C5af00b4d2ad54421ebdd08dac794bc67%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638041738883684363%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=3XwBYfxLGuRD2F4nr0PHiMoLvByctF0SV3fMLjad724%3D&reserved=0>" AD domain to "[email protected]"<mailto:[email protected]>, except when it doesn't, and the account management can get pretty funky if you don't want to use the long form all the time. Also be prepared to overload the 2048 maximum line-length limit in /etc/group with such account names if you're not cautious, and has to be dealt with that way unless you do considerable extra work, in the sssd.conf and elsewhere in ways that upgrades to sssd tend to erase. If you have to use it, be prepared to spend time tuning the sssd itself with Ansible and managing credentials with which to register the ansible target hosts in AD. Nico Kadel-Garia Email: [email protected]<mailto:[email protected]> Walter -- Walter Rowe, Division Chief Infrastructure Services, OISM Mobile: 202.355.4123 On Nov 15, 2022, at 12:39 AM, David Logan <[email protected]><mailto:[email protected]> wrote: Hi Chris, I use PowerBroker to provide this sort of functionality. This auths to AD and when I show my groups at the command line, all AD and local groups are shown. PowerBroker has the AD user id and this can be added to the group in /etc/group. What are you trying to do? Regards David On Tue, 15 Nov 2022 at 09:47, 'Chris Bidwell - NOAA Federal' via Ansible Project <[email protected]><mailto:[email protected]> wrote: Hi all, Is there a way to add an AD user to a local linux group? the user function doesn't work because it's only looking in /etc/passwd for this user. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/11e4ab9c-195c-af78-6a34-bfb8deb9c1e9%40gmail.com<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fansible-project%2F11e4ab9c-195c-af78-6a34-bfb8deb9c1e9%2540gmail.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Cwalter.rowe%40nist.gov%7C5af00b4d2ad54421ebdd08dac794bc67%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638041738883684363%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=eYVugF%2B%2FZv4Xk8q%2FihqKJ1T2c9gafCGXYF%2FttECWy6c%3D&reserved=0>. -- if in trouble, or in doubt run in circles, scream and shout -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]<mailto:[email protected]>. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CA%2B8iFp6JJUq0x%2BDpumeLz0PGo4boXOB%2B2zg8ywNqVXt%2B_uum0Q%40mail.gmail.com<https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fansible-project%2FCA%252B8iFp6JJUq0x%252BDpumeLz0PGo4boXOB%252B2zg8ywNqVXt%252B_uum0Q%2540mail.gmail.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Cwalter.rowe%40nist.gov%7C5af00b4d2ad54421ebdd08dac794bc67%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638041738883684363%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2FEr2xRLioe1C%2FczHmz7XdygbvgFeQXwbcDbyXyTPZ4M%3D&reserved=0>. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/39E29C95-4208-400B-9813-5BBBA0CC46B8%40nist.gov.
