On Sat, Jan 12, 2019 at 12:22 PM John Hearns <[email protected]> wrote:
> Emmm.. Do you need the AD Administrator password? Why? > I do not need that. I know that. > > If you need to join a Linux system to the AD domain you can ask the AD > administratoe to do this. > Or you can have a service account set up on AD which has the permissions > to join to the domain. > Right, that is what Sumit suggested as well # realm join -U vadud3 ad.example.net Password for vadud3: See: journalctl REALMD_OPERATION=r10925.4111 realm: Couldn't join realm: Insufficient permissions to join the domain ad.example.net # journalctl REALMD_OPERATION=r10925.4111 -- Logs begin at Tue 2019-01-15 08:11:19 PST, end at Tue 2019-01-15 11:14:40 PST. -- Jan 15 11:13:24 centos7 realmd[4114]: * Resolving: _ldap._ tcp.ad.example.net Jan 15 11:13:24 centos7 realmd[4114]: * Performing LDAP DSE lookup on: 192.168.1.51 Jan 15 11:13:25 centos7 realmd[4114]: * Successfully discovered: ad.example.net Jan 15 11:13:30 centos7 realmd[4114]: * Required files: /usr/sbin/oddjobd, /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net Jan 15 11:13:30 centos7 realmd[4114]: * LANG=C LOGNAME=root /usr/bin/net -s /var/cache/realmd/realmd-smb-conf.CDOLVZ -U vadud3 ads join ad.example.net Jan 15 11:13:39 centos7 realmd[4114]: Enter vadud3's password: Jan 15 11:13:39 centos7 realmd[4114]: Failed to join domain: User specified does not have administrator privileges Jan 15 11:13:39 centos7 realmd[4114]: ! Insufficient permissions to join the domain ad.example.net So yes I will need an account with sufficient privilege to join AD Is there a way to talk to AD over a proxy. For our environment that will reduce number of firewall update request. > > > > > > > > On Fri, 11 Jan 2019 at 16:03, <[email protected]> wrote: > >> >> >> On Fri, Jan 11, 2019 at 6:50 AM Sumit Bose <[email protected]> wrote: >> >>> On Wed, Jan 09, 2019 at 12:47:34PM -0500, [email protected] wrote: >>> > Looking for suggestion on ID mapping. >>> > >>> > I need to point to a ID provider over proxy >>> > >>> > I have not found a concrete solution or some hint about how to setup a >>> > proxy to a ID provider and how sssd can point to that proxy for ID >>> mapping. >>> >>> Can you rephrase your question? 'ID provider over proxy' should like you >>> want some more details about SSSD's proxy provider as described in the >>> sssd.conf man page. But this is unrelated to what I associate typically >>> with 'ID mapping'. Please give a bit more details about what you are >>> trying to achieve. >>> >>> >> I am looking for a ID mapping solution. I do see following providers. >> >> “proxy”: Support a legacy NSS provider. >> >> “local”: SSSD internal provider for local users (DEPRECATED). >> >> “files”: FILES provider. See sssd-files(5) for more >> information on how to mirror local users and groups into SSSD. >> >> “ldap”: LDAP provider. See sssd-ldap(5) for more information >> on configuring LDAP. >> >> “ipa”: FreeIPA and Red Hat Enterprise Identity Management >> provider. See sssd-ipa(5) for more information on >> configuring FreeIPA. >> >> “ad”: Active Directory provider. See sssd-ad(5) for more >> information on configuring Active Directory. >> >> I am looking for a suggestion. >> ad - won't work as we will not be provided Administrator >> password >> ldap - won't work as IT says not to use LDAP and use kerberos >> instead for all things UNIX auth >> and to use /etc/passwd for id (yikes, we have 100s of >> servers to manage) >> files - I am not sure how to have a central files for all >> accounts >> local - seems deprecated >> proxy - I am not sure how to set that up, but seems like >> easier for a central ID provider? >> >> Please advise >> >> >> >> >> >> >> >>> bye, >>> Sumit >>> >>> > >>> > All my servers are CentOS 7. >>> > >>> > >>> > -- >>> > Asif Iqbal >>> > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu >>> > A: Because it messes up the order in which people normally read text. >>> > Q: Why is top-posting such a bad thing? >>> >>> > _______________________________________________ >>> > sssd-users mailing list -- [email protected] >>> > To unsubscribe send an email to >>> [email protected] >>> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >>> > List Guidelines: >>> https://fedoraproject.org/wiki/Mailing_list_guidelines >>> > List Archives: >>> https://lists.fedorahosted.org/archives/list/[email protected] >>> _______________________________________________ >>> sssd-users mailing list -- [email protected] >>> To unsubscribe send an email to [email protected] >>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: >>> https://lists.fedorahosted.org/archives/list/[email protected] >>> >> >> >> -- >> Asif Iqbal >> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu >> A: Because it messes up the order in which people normally read text. >> Q: Why is top-posting such a bad thing? >> >> _______________________________________________ >> sssd-users mailing list -- [email protected] >> To unsubscribe send an email to [email protected] >> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/[email protected] >> > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
