Thanks. Below is sssd.conf for the POSIX users.
Would making another domain group named [domain/INT.DOMAIN.COM] conflict? Can we name it to identity what is different between them? ``` [sssd] debug_level = 3 domains = int.domain.com config_file_version = 2 reconnection_retries = 3 services = nss, pam [nss] reconnection_retries = 3 debug_level = 3 filter_groups = root filter_users = root [pam] debug_level = 3 reconnection_retries = 3 [domain/int.domain.com] debug_level = 3 id_provider = ldap auth_provider = ldap chpass_provider = ldap access_provider = simple simple_allow_groups = unix-admin, unix-backup, unix-sudo ldap_group_nesting_level = 0 cache_credentials = true min_id = 10000 max_id = 20000 enumerate = false ldap_referrals = false ldap_uri = ldaps://ldapad.int.domain.com/ ldap_id_mapping = False ldap_schema = rfc2307 ldap_group_member = memberuid ldap_search_base = dc=int,dc=domain,dc=com ldap_user_object_class = user ldap_group_object_class = group ldap_user_home_directory = unixHomeDirectory ldap_tls_reqcert = hard ldap_default_bind_dn = ... ``` -- Sean Roberts On Tue, Jan 8, 2019 at 12:20 PM Sumit Bose <[email protected]> wrote: > On Tue, Jan 08, 2019 at 11:29:32AM +0000, Sean Roberts wrote: > > I'm working on an AD where they've completely separate normal AD users > and > > POSIX users. > > - AD: All employees have a user. > > - POSIX: Certain employees get a separate user which is used for POSIX > use > > cases. *(Usernames are prefixed so they never collide). *Their groups are > > only POSIX groups. > > > > How can SSSD get both sets of users and their groups? > > > > Could we create a separate [domain/...] for each? Would overrides in > > [application/...] work? > > > > Currently SSSD is only getting the POSIX users and ldap_id_mapping=false > is > > set. We can't really disable that without massive `chown`s across all the > > systems. > > Hi, > > I think have two [domain/...] sections for each set of users would be > best. But it would be good to see your current sssd.conf (sanitized if > needed) to better understand how the group memberships are defined for > the POSIX users because there are multiple ways how this can be done > with AD. > > bye, > Sumit > > > > > -- > > Sean Roberts > > > _______________________________________________ > > sssd-users mailing list -- [email protected] > > To unsubscribe send an email to [email protected] > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > On Tue, Jan 8, 2019 at 12:20 PM Sumit Bose <[email protected]> wrote: > On Tue, Jan 08, 2019 at 11:29:32AM +0000, Sean Roberts wrote: > > I'm working on an AD where they've completely separate normal AD users > and > > POSIX users. > > - AD: All employees have a user. > > - POSIX: Certain employees get a separate user which is used for POSIX > use > > cases. *(Usernames are prefixed so they never collide). *Their groups are > > only POSIX groups. > > > > How can SSSD get both sets of users and their groups? > > > > Could we create a separate [domain/...] for each? Would overrides in > > [application/...] work? > > > > Currently SSSD is only getting the POSIX users and ldap_id_mapping=false > is > > set. We can't really disable that without massive `chown`s across all the > > systems. > > Hi, > > I think have two [domain/...] sections for each set of users would be > best. But it would be good to see your current sssd.conf (sanitized if > needed) to better understand how the group memberships are defined for > the POSIX users because there are multiple ways how this can be done > with AD. > > bye, > Sumit > > > > > -- > > Sean Roberts > > > _______________________________________________ > > sssd-users mailing list -- [email protected] > > To unsubscribe send an email to [email protected] > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] >
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
