[SSSD-users] Re: Migrating from Quest...
I've successfully converted iur entire nonorod Rhel6 and 7 environment. Its only since its fully out there that this issue has occurred. On Wed, Mar 18, 2020, 22:29 Thomas Harrison wrote: > Simple Forest too. > > On Wed, Mar 18, 2020 at 10:13 PM Thomas Harrison wrote: > >> Wow Spike! You're faster and better than the support we pay for! 8) >> >> Summary. >> RHEL 6 and 7. Plus AWS. >> I already wrote the scripts to convert user IDs to match. ( our >> /etc/opt/quest/vas/mapfile had jdoe mapped to jdoeXX >> We are limiting for the most part, the above conversion to only entries >> in the mapfile. This would exclude App IDs, and Slervice Account IDs. >> >> Unfortunately, the scenario I've run across, is that I only limit the >> users and not the Service Accounts to login via *realm permit* and >> inappropriate *su - App_ID" can create it if *getent passwd App_ID* works. >> I've tried encouraging that local accounts not have AD names, but that >> seems to have fallen on deaf ears. >> >> I would like to create these IDs locally with UID:GID etc... that I >> specify but I'm having issues when SSSD is running. It appears that >> setting up a [domain/local] might be the key, along with sss_useradd? But >> I would like the ID to be created in /etc/passwd as well if possible. We >> are discussing a 2500 Linux Server environment. >> >> Thanks! >> >> Thom >> >> On Wed, Mar 18, 2020 at 10:01 PM Spike White >> wrote: >> >>> Thomas, >>> >>> Greetings! I work at a company that is now far along in transitioning >>> from Quest to sssd. We have a fairly complex AD forest, with multiple >>> older Linux OS versions we support. >>> >>> An excellent place to start is here: >>> >>> >>> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/windows_integration_guide/index >>> >>> >>> Focus on the "direct integration" section. >>> >>> How simple or difficult your migration journey is -- depends on two >>> things: >>> 1. How complex your AD forest is (multiple trusted subdomains? >>> Extensive use of GC and universal groups? Or a simple flat one-domain >>> forest?) >>> 2. How far back in Linux OS versions do you wish to support? >>> >>> If you have a simple flat forest and if you don't have to support >>> anything earlier than RHEL7, the conversion should be relatively easy. >>> >>> With some effort, you can support cross-domain authentication with RHEL6 >>> as well. RHEL5? Forget about it! >>> >>> BTW, I'm quite familiar with the VAS commands and what are the sssd >>> analogs. (About 99% of what we did in VAS, we have figured out how to do >>> in sssd.) >>> >>> About your specific question. There's multiple answers, depending on >>> what you want to do. >>> >>> 1. You can define "files" first in /etc/nsswitch.conf before "sss". It >>> will find your local /etc/passwd entry first, instead of your AD entry. >>> That masks your AD entry. >>> >>> 2. However, if there's just some item of that AD entry you wish to >>> override locally (like the login name or UID), but you otherwise wish to >>> use the AD entry -- then you would run the "sss_override" command to >>> locally override the specified item of that AD entry. >>> >>> Spike >>> >>> >>> On Wed, Mar 18, 2020 at 9:38 PM Thomas Harrison >>> wrote: >>> You'd like a specific question... So here it is. How do I create a local user ( /etc/passwd ) so I can define UID,GID, gecos, shell ) when it already exists in a getent lookup? On Wed, Mar 18, 2020, 21:32 Thomas Harrison wrote: > And wanting to learn all I can about sssd. > ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org >>> ___ >>> sssd-users mailing list -- sssd-users@lists.fedorahosted.org >>> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org >>> Fedora Code of Conduct: >>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: >>> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org >>> >> ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
[SSSD-users] Re: Migrating from Quest...
Simple Forest too. On Wed, Mar 18, 2020 at 10:13 PM Thomas Harrison wrote: > Wow Spike! You're faster and better than the support we pay for! 8) > > Summary. > RHEL 6 and 7. Plus AWS. > I already wrote the scripts to convert user IDs to match. ( our > /etc/opt/quest/vas/mapfile had jdoe mapped to jdoeXX > We are limiting for the most part, the above conversion to only entries in > the mapfile. This would exclude App IDs, and Slervice Account IDs. > > Unfortunately, the scenario I've run across, is that I only limit the > users and not the Service Accounts to login via *realm permit* and > inappropriate *su - App_ID" can create it if *getent passwd App_ID* works. > I've tried encouraging that local accounts not have AD names, but that > seems to have fallen on deaf ears. > > I would like to create these IDs locally with UID:GID etc... that I > specify but I'm having issues when SSSD is running. It appears that > setting up a [domain/local] might be the key, along with sss_useradd? But > I would like the ID to be created in /etc/passwd as well if possible. We > are discussing a 2500 Linux Server environment. > > Thanks! > > Thom > > On Wed, Mar 18, 2020 at 10:01 PM Spike White > wrote: > >> Thomas, >> >> Greetings! I work at a company that is now far along in transitioning >> from Quest to sssd. We have a fairly complex AD forest, with multiple >> older Linux OS versions we support. >> >> An excellent place to start is here: >> >> >> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/windows_integration_guide/index >> >> >> Focus on the "direct integration" section. >> >> How simple or difficult your migration journey is -- depends on two >> things: >> 1. How complex your AD forest is (multiple trusted subdomains? >> Extensive use of GC and universal groups? Or a simple flat one-domain >> forest?) >> 2. How far back in Linux OS versions do you wish to support? >> >> If you have a simple flat forest and if you don't have to support >> anything earlier than RHEL7, the conversion should be relatively easy. >> >> With some effort, you can support cross-domain authentication with RHEL6 >> as well. RHEL5? Forget about it! >> >> BTW, I'm quite familiar with the VAS commands and what are the sssd >> analogs. (About 99% of what we did in VAS, we have figured out how to do >> in sssd.) >> >> About your specific question. There's multiple answers, depending on >> what you want to do. >> >> 1. You can define "files" first in /etc/nsswitch.conf before "sss". It >> will find your local /etc/passwd entry first, instead of your AD entry. >> That masks your AD entry. >> >> 2. However, if there's just some item of that AD entry you wish to >> override locally (like the login name or UID), but you otherwise wish to >> use the AD entry -- then you would run the "sss_override" command to >> locally override the specified item of that AD entry. >> >> Spike >> >> >> On Wed, Mar 18, 2020 at 9:38 PM Thomas Harrison wrote: >> >>> You'd like a specific question... So here it is. How do I create a >>> local user ( /etc/passwd ) so I can define UID,GID, gecos, shell ) when it >>> already exists in a getent lookup? >>> >>> On Wed, Mar 18, 2020, 21:32 Thomas Harrison wrote: >>> And wanting to learn all I can about sssd. >>> ___ >>> sssd-users mailing list -- sssd-users@lists.fedorahosted.org >>> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org >>> Fedora Code of Conduct: >>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: >>> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org >>> >> ___ >> sssd-users mailing list -- sssd-users@lists.fedorahosted.org >> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org >> > ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
[SSSD-users] Re: Migrating from Quest...
Wow Spike! You're faster and better than the support we pay for! 8) Summary. RHEL 6 and 7. Plus AWS. I already wrote the scripts to convert user IDs to match. ( our /etc/opt/quest/vas/mapfile had jdoe mapped to jdoeXX We are limiting for the most part, the above conversion to only entries in the mapfile. This would exclude App IDs, and Slervice Account IDs. Unfortunately, the scenario I've run across, is that I only limit the users and not the Service Accounts to login via *realm permit* and inappropriate *su - App_ID" can create it if *getent passwd App_ID* works. I've tried encouraging that local accounts not have AD names, but that seems to have fallen on deaf ears. I would like to create these IDs locally with UID:GID etc... that I specify but I'm having issues when SSSD is running. It appears that setting up a [domain/local] might be the key, along with sss_useradd? But I would like the ID to be created in /etc/passwd as well if possible. We are discussing a 2500 Linux Server environment. Thanks! Thom On Wed, Mar 18, 2020 at 10:01 PM Spike White wrote: > Thomas, > > Greetings! I work at a company that is now far along in transitioning > from Quest to sssd. We have a fairly complex AD forest, with multiple > older Linux OS versions we support. > > An excellent place to start is here: > > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/windows_integration_guide/index > > > Focus on the "direct integration" section. > > How simple or difficult your migration journey is -- depends on two things: > 1. How complex your AD forest is (multiple trusted subdomains? > Extensive use of GC and universal groups? Or a simple flat one-domain > forest?) > 2. How far back in Linux OS versions do you wish to support? > > If you have a simple flat forest and if you don't have to support anything > earlier than RHEL7, the conversion should be relatively easy. > > With some effort, you can support cross-domain authentication with RHEL6 > as well. RHEL5? Forget about it! > > BTW, I'm quite familiar with the VAS commands and what are the sssd > analogs. (About 99% of what we did in VAS, we have figured out how to do > in sssd.) > > About your specific question. There's multiple answers, depending on what > you want to do. > > 1. You can define "files" first in /etc/nsswitch.conf before "sss". It > will find your local /etc/passwd entry first, instead of your AD entry. > That masks your AD entry. > > 2. However, if there's just some item of that AD entry you wish to > override locally (like the login name or UID), but you otherwise wish to > use the AD entry -- then you would run the "sss_override" command to > locally override the specified item of that AD entry. > > Spike > > > On Wed, Mar 18, 2020 at 9:38 PM Thomas Harrison wrote: > >> You'd like a specific question... So here it is. How do I create a local >> user ( /etc/passwd ) so I can define UID,GID, gecos, shell ) when it >> already exists in a getent lookup? >> >> On Wed, Mar 18, 2020, 21:32 Thomas Harrison wrote: >> >>> And wanting to learn all I can about sssd. >>> >> ___ >> sssd-users mailing list -- sssd-users@lists.fedorahosted.org >> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org >> > ___ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org > ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
[SSSD-users] Re: Migrating from Quest...
Thomas, Greetings! I work at a company that is now far along in transitioning from Quest to sssd. We have a fairly complex AD forest, with multiple older Linux OS versions we support. An excellent place to start is here: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/windows_integration_guide/index Focus on the "direct integration" section. How simple or difficult your migration journey is -- depends on two things: 1. How complex your AD forest is (multiple trusted subdomains? Extensive use of GC and universal groups? Or a simple flat one-domain forest?) 2. How far back in Linux OS versions do you wish to support? If you have a simple flat forest and if you don't have to support anything earlier than RHEL7, the conversion should be relatively easy. With some effort, you can support cross-domain authentication with RHEL6 as well. RHEL5? Forget about it! BTW, I'm quite familiar with the VAS commands and what are the sssd analogs. (About 99% of what we did in VAS, we have figured out how to do in sssd.) About your specific question. There's multiple answers, depending on what you want to do. 1. You can define "files" first in /etc/nsswitch.conf before "sss". It will find your local /etc/passwd entry first, instead of your AD entry. That masks your AD entry. 2. However, if there's just some item of that AD entry you wish to override locally (like the login name or UID), but you otherwise wish to use the AD entry -- then you would run the "sss_override" command to locally override the specified item of that AD entry. Spike On Wed, Mar 18, 2020 at 9:38 PM Thomas Harrison wrote: > You'd like a specific question... So here it is. How do I create a local > user ( /etc/passwd ) so I can define UID,GID, gecos, shell ) when it > already exists in a getent lookup? > > On Wed, Mar 18, 2020, 21:32 Thomas Harrison wrote: > >> And wanting to learn all I can about sssd. >> > ___ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org > ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
[SSSD-users] Re: Migrating from Quest...
You'd like a specific question... So here it is. How do I create a local user ( /etc/passwd ) so I can define UID,GID, gecos, shell ) when it already exists in a getent lookup? On Wed, Mar 18, 2020, 21:32 Thomas Harrison wrote: > And wanting to learn all I can about sssd. > ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
[SSSD-users] Migrating from Quest...
And wanting to learn all I can about sssd. ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
[SSSD-users] Re: SSSD and PKI: capability of checking trust/validation/revocation
> On Tue, Mar 17, 2020 at 02:17:06PM -, Hristina Marosevic wrote: > > Hi, > > about 'certificate_verification = no_verification', there is an issue > which was fixed by > https://pagure.io/SSSD/sssd/c/31ebf912d6426aea446b2bdae919d4e33b0c95be > but the fix is not in the build you are using. So better continue with > 'certificate_verification = no_ocsp'. > > > Please add all CA certificates to the NSS database /etc/pki/nssdb with > the help of the certutil command: > > certutil -A -n "CA cert nickname" -t C,C,C -i /path/to/CA_cert_file -d > /etc/pki/nssdb > > each CA certificate should get an individual nickname. If your > CA_cert_file is in PEM format (with BEGIN CERTIFICATE and END > CERTIFICATE lines) you might need to add a '-a' option as well. > > If there are still issues please send the strace output. > > HTH > > bye, > Sumit Hello, I just tried to add the certificates (intermediate and root CA) to the database and I got the error: "certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format." for each one. The confirugation in sssd is still not changed and no other step is executed due to this error. I think it is important to solve this problem first, and that this one is not related to the sssd configuration and option certificate_verification in the config file. Can you propose me a solution for this? BR, Hristina ___ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org