On Tue, Jan 08, 2019 at 12:38:09PM +0000, Sean Roberts wrote: > Thanks. > > Below is sssd.conf for the POSIX users. > > Would making another domain group named [domain/INT.DOMAIN.COM] conflict? > Can we name it to identity what is different between them? > > ``` > [sssd] > debug_level = 3 > domains = int.domain.com > config_file_version = 2 > reconnection_retries = 3 > services = nss, pam > > [nss] > reconnection_retries = 3 > debug_level = 3 > filter_groups = root > filter_users = root > > [pam] > debug_level = 3 > reconnection_retries = 3 > > [domain/int.domain.com] > debug_level = 3 > id_provider = ldap > auth_provider = ldap > chpass_provider = ldap > access_provider = simple > simple_allow_groups = unix-admin, unix-backup, unix-sudo > ldap_group_nesting_level = 0 > cache_credentials = true > min_id = 10000 > max_id = 20000 > enumerate = false > ldap_referrals = false > ldap_uri = ldaps://ldapad.int.domain.com/ > ldap_id_mapping = False > ldap_schema = rfc2307 > ldap_group_member = memberuid > ldap_search_base = dc=int,dc=domain,dc=com > ldap_user_object_class = user > ldap_group_object_class = group > ldap_user_home_directory = unixHomeDirectory > ldap_tls_reqcert = hard > ldap_default_bind_dn = ... > ```
Thanks. So you are completely using the rfc2307 schema features of AD including the group memberships. In this case you can add a second domain ideally with id_provider=ad to get the AD view of the users. The AD provider expects that the default keytab /etc/krb5.keytab contains Kerberos credentials for the host to access the LDAP service of the AD DCs. So it would be best to join the domain e.g. with 'adcli'. I really would recommend to use a completely different domain name, e.g. the NetBIOS domain name of the AD domain. Although the domain names from sssd.conf are trated case-sensitive the default behavior of the AD provider is to treat all names case-insensitive to be in agreement with the behavior of AD. HTH bye, Sumit > > -- > Sean Roberts > > > On Tue, Jan 8, 2019 at 12:20 PM Sumit Bose <[email protected]> wrote: > > > On Tue, Jan 08, 2019 at 11:29:32AM +0000, Sean Roberts wrote: > > > I'm working on an AD where they've completely separate normal AD users > > and > > > POSIX users. > > > - AD: All employees have a user. > > > - POSIX: Certain employees get a separate user which is used for POSIX > > use > > > cases. *(Usernames are prefixed so they never collide). *Their groups are > > > only POSIX groups. > > > > > > How can SSSD get both sets of users and their groups? > > > > > > Could we create a separate [domain/...] for each? Would overrides in > > > [application/...] work? > > > > > > Currently SSSD is only getting the POSIX users and ldap_id_mapping=false > > is > > > set. We can't really disable that without massive `chown`s across all the > > > systems. > > > > Hi, > > > > I think have two [domain/...] sections for each set of users would be > > best. But it would be good to see your current sssd.conf (sanitized if > > needed) to better understand how the group memberships are defined for > > the POSIX users because there are multiple ways how this can be done > > with AD. > > > > bye, > > Sumit > > > > > > > > -- > > > Sean Roberts > > > > > _______________________________________________ > > > sssd-users mailing list -- [email protected] > > > To unsubscribe send an email to [email protected] > > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > > List Archives: > > https://lists.fedorahosted.org/archives/list/[email protected] > > _______________________________________________ > > sssd-users mailing list -- [email protected] > > To unsubscribe send an email to [email protected] > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > https://lists.fedorahosted.org/archives/list/[email protected] > > > > On Tue, Jan 8, 2019 at 12:20 PM Sumit Bose <[email protected]> wrote: > > > On Tue, Jan 08, 2019 at 11:29:32AM +0000, Sean Roberts wrote: > > > I'm working on an AD where they've completely separate normal AD users > > and > > > POSIX users. > > > - AD: All employees have a user. > > > - POSIX: Certain employees get a separate user which is used for POSIX > > use > > > cases. *(Usernames are prefixed so they never collide). *Their groups are > > > only POSIX groups. > > > > > > How can SSSD get both sets of users and their groups? > > > > > > Could we create a separate [domain/...] for each? Would overrides in > > > [application/...] work? > > > > > > Currently SSSD is only getting the POSIX users and ldap_id_mapping=false > > is > > > set. We can't really disable that without massive `chown`s across all the > > > systems. > > > > Hi, > > > > I think have two [domain/...] sections for each set of users would be > > best. But it would be good to see your current sssd.conf (sanitized if > > needed) to better understand how the group memberships are defined for > > the POSIX users because there are multiple ways how this can be done > > with AD. > > > > bye, > > Sumit > > > > > > > > -- > > > Sean Roberts > > > > > _______________________________________________ > > > sssd-users mailing list -- [email protected] > > > To unsubscribe send an email to [email protected] > > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > > List Archives: > > https://lists.fedorahosted.org/archives/list/[email protected] > > _______________________________________________ > > sssd-users mailing list -- [email protected] > > To unsubscribe send an email to [email protected] > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > https://lists.fedorahosted.org/archives/list/[email protected] > > > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
