On 21/07/14 07:03, Jakub Hrozek wrote:
On Sat, Jul 19, 2014 at 02:42:46PM +0100, Rowland Penny wrote:
On 18/07/14 20:50, Dmitri Pal wrote:
On 07/18/2014 03:19 PM, Rowland Penny wrote:
On 18/07/14 20:03, Dmitri Pal wrote:
On 07/18/2014 11:53 AM, Rowland Penny wrote:
On 18/07/14 16:18, Jakub Hrozek wrote:
On Thu, Jul 10, 2014 at 11:20:10AM +0100, Rowland Penny wrote:
Any suggest to what I check next??
Sorry for the delayed reply.
Looks like an ACI problem to me, the first search binds as
[email protected], the second as
cn=Administrator,cn=Users,dc=example,dc=com
_______________________________________________
sssd-users mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
ER, could you please expand 'ACI' for me, I haven't a clue what you
are talking about ;-)
Access Control Instructions in LDAP on the server side.
In one case the account has privileges to get information and in other
it does not. You need to change permission on the server for the SSSD
account to have permission to do the search.
Thanks, you have confirmed what I thought was going on, have you any
idea how I can give machines the required rights in Active Directory or
can you point me at a webpage that explains how to do it?
Sorry, no. I would defer to technical gurus to chime in on Monday.
Rowland
_______________________________________________
sssd-users mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
OK, I have now got sudo to work on my laptop, but the only way I could find
was to add the laptop to Domain Admins. This confirms that it is a
permissions problem, but I do not think adding every linux computer to
Domain Admins is really a good idea.
No, it's not :-)
So where do we go from here ?? will sssd & sudo work out of the box on any
linux distro against AD ?
No, because sudo is not present on the AD side out of the box. I assume
you had to add the entries yourself anyway to the AD server, including
extending the schema, so it really depends on how you setup the AD
I am using a samba4 server and yes I did extend the schema and added the
sudo rules, but I did ALL of this on the Debian wheezy backports server.
server.
Normally I use ADSI Edit to adit the permissions. If you right-click the
sudo container in ADSI, select properties and then go to the Security Tab,
do you "Authenticated users" there ? btw I'm using Windows Server 2012,
not sure if the dialogs look any different in earlier versions.
So what you are saying is, to get a UNIX program to work on a UNIX
machine running against a UNIX AD DC, you have to to set it up on a
WINDOWS machine ??? What happens if you do not have a windows machine or
if you do, you don't have ADSI Edit ??
Also there were a couple of questions on the subject lately so I wrote
up what I did for testing here:
https://jhrozek.livejournal.com/3860.html
Yes, I read that, amongst lots of other things, none of which said that
you definitely had to get windows involved.
This is quite likely the biggest bug I personally have ever heard of ;-)
Rowland
_______________________________________________
sssd-users mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
_______________________________________________
sssd-users mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
