We do a lot of our group management - upstream from AD - using Grouper (https://incommon.org/software/grouper/). Being an academic institution, we have way too many tails for one (like an upstart AD) to suddenly sprout a dog. But none of that has complicated our success with SSSD on Linux, or provisioning with Ansible.
On Wednesday, November 16, 2022 at 7:16:02 AM UTC-5 [email protected] wrote: > We have nested groups and the GPO evaluation properly unrolls them for > deep group membership evaluation. SSSD has come a long ways in the last > three years. The developers are very responsive. > > > Walter > -- > Walter Rowe, Division Chief > Infrastructure Services, OISM > Mobile: 202.355.4123 <(202)%20355-4123> > > On Nov 16, 2022, at 12:37 AM, David Logan <[email protected]> wrote: > > I had issues with sssd and nested groups, basically it didn't work with > nesting. This was some time ago so it may have been resolved. We have > multiple domains and members from one or more that need to authenticate to > a server so PowerBroker worked for us at the time and still does. > > On Wed, 16 Nov 2022 at 11:05, Todd Lewis <[email protected]> wrote: > >> Interesting. None of that has been our experience, but then we only have >> about 45,000 people in our AD. >> >> On 11/15/22 8:17 PM, Nico Kadel-Garcia wrote: >> >> On Tue, Nov 15, 2022 at 7:17 AM 'Rowe, Walter P. (Fed)' via Ansible >> Project <[email protected]> wrote: >> >> Look at SSSD for joining your Linux machine to AD. We use it and find it >> very reliable. It also enables use of smart card for SSH logins if your >> public keys are populated in your AD user objects if you work in an >> environment that requires smart card login (2-factor). >> >> sssd has a lot of configuration issues and some very performance >> issues. It works best with FreeIPA rather than Active Directory: it's >> basically a Samba core with a FreeIPA body bolted on top of it, and it >> does not scale to large AD environments. (Its insistence on >> pre-caching the *entire* LDAP of the AD server and crashing if it >> times out on that pre-load, is deadly for bulky, remote environments.) >> >> For a very simple AD setup, it can work well. Be aware that it will >> transform account names like "nkadel" in the "example.com >> <https://gcc02.safelinks.protection.outlook.com/?url=http%3A%2F%2Fexample.com%2F&data=05%7C01%7Cwalter.rowe%40nist.gov%7C5af00b4d2ad54421ebdd08dac794bc67%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638041738883684363%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=3XwBYfxLGuRD2F4nr0PHiMoLvByctF0SV3fMLjad724%3D&reserved=0>" >> AD domain >> to "[email protected]", except when it doesn't, and the account >> management can get pretty funky if you don't want to use the long form >> all the time. Also be prepared to overload the 2048 maximum >> line-length limit in /etc/group with such account names if you're not >> cautious, and has to be dealt with that way unless you do >> considerable extra work, in the sssd.conf and elsewhere in ways that >> upgrades to sssd tend to erase. If you have to use it, be prepared to >> spend time tuning the sssd itself with Ansible and managing >> credentials with which to register the ansible target hosts in AD. >> >> Nico Kadel-Garia >> Email: [email protected] >> >> Walter >> -- >> Walter Rowe, Division Chief >> Infrastructure Services, OISM >> Mobile: 202.355.4123 <(202)%20355-4123> >> >> On Nov 15, 2022, at 12:39 AM, David Logan <[email protected]> wrote: >> >> Hi Chris, >> >> I use PowerBroker to provide this sort of functionality. This auths to AD >> and when I show my groups at the command line, all AD and local groups are >> shown. PowerBroker has the AD user id and this can be added to the group in >> /etc/group. >> >> What are you trying to do? >> >> Regards >> David >> >> On Tue, 15 Nov 2022 at 09:47, 'Chris Bidwell - NOAA Federal' via Ansible >> Project <[email protected]> wrote: >> >> Hi all, >> >> Is there a way to add an AD user to a local linux group? the user function >> doesn't work because it's only looking in /etc/passwd for this user. >> >> >> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Ansible Project" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to [email protected]. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/ansible-project/11e4ab9c-195c-af78-6a34-bfb8deb9c1e9%40gmail.com >> >> <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fansible-project%2F11e4ab9c-195c-af78-6a34-bfb8deb9c1e9%2540gmail.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Cwalter.rowe%40nist.gov%7C5af00b4d2ad54421ebdd08dac794bc67%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638041738883684363%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=eYVugF%2B%2FZv4Xk8q%2FihqKJ1T2c9gafCGXYF%2FttECWy6c%3D&reserved=0> >> . >> > > > -- > if in trouble, or in doubt > run in circles, scream and shout > > -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/CA%2B8iFp6JJUq0x%2BDpumeLz0PGo4boXOB%2B2zg8ywNqVXt%2B_uum0Q%40mail.gmail.com > > <https://gcc02.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgroups.google.com%2Fd%2Fmsgid%2Fansible-project%2FCA%252B8iFp6JJUq0x%252BDpumeLz0PGo4boXOB%252B2zg8ywNqVXt%252B_uum0Q%2540mail.gmail.com%3Futm_medium%3Demail%26utm_source%3Dfooter&data=05%7C01%7Cwalter.rowe%40nist.gov%7C5af00b4d2ad54421ebdd08dac794bc67%7C2ab5d82fd8fa4797a93e054655c61dec%7C1%7C0%7C638041738883684363%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=%2FEr2xRLioe1C%2FczHmz7XdygbvgFeQXwbcDbyXyTPZ4M%3D&reserved=0> > . > > > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/1e65ddac-f7be-4fdc-b0ca-1146fd126d08n%40googlegroups.com.
