Sumit, IT decides they won't let Linux server to join their domain.
They offered another service/API for UID/GID lookup. Is there another way SSSD can do ID mapping and may be consume this other service for UID/GID ? Every employee has a unique UID/GID in that service. On Wed, Jan 16, 2019 at 2:21 AM Sumit Bose <[email protected]> wrote: > On Tue, Jan 15, 2019 at 02:19:33PM -0500, [email protected] wrote: > > On Sat, Jan 12, 2019 at 12:22 PM John Hearns <[email protected]> > wrote: > > > > > Emmm.. Do you need the AD Administrator password? Why? > > > > > > > I do not need that. I know that. > > > > > > > > > > If you need to join a Linux system to the AD domain you can ask the AD > > > administratoe to do this. > > > Or you can have a service account set up on AD which has the > permissions > > > to join to the domain. > > > > > > > Right, that is what Sumit suggested as well > > > > # realm join -U vadud3 ad.example.net > > Password for vadud3: > > See: journalctl REALMD_OPERATION=r10925.4111 > > realm: Couldn't join realm: Insufficient permissions to join the domain > > ad.example.net > > > > # journalctl REALMD_OPERATION=r10925.4111 > > -- Logs begin at Tue 2019-01-15 08:11:19 PST, end at Tue 2019-01-15 > > 11:14:40 PST. -- > > Jan 15 11:13:24 centos7 realmd[4114]: * Resolving: _ldap._ > > tcp.ad.example.net > > Jan 15 11:13:24 centos7 realmd[4114]: * Performing LDAP DSE lookup on: > > 192.168.1.51 > > Jan 15 11:13:25 centos7 realmd[4114]: * Successfully discovered: > > ad.example.net > > Jan 15 11:13:30 centos7 realmd[4114]: * Required files: > /usr/sbin/oddjobd, > > /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net > > Jan 15 11:13:30 centos7 realmd[4114]: * LANG=C LOGNAME=root /usr/bin/net > > -s /var/cache/realmd/realmd-smb-conf.CDOLVZ -U vadud3 ads join > > ad.example.net > > Jan 15 11:13:39 centos7 realmd[4114]: Enter vadud3's password: > > Jan 15 11:13:39 centos7 realmd[4114]: Failed to join domain: User > specified > > does not have administrator privileges > > Jan 15 11:13:39 centos7 realmd[4114]: ! Insufficient permissions to join > > the domain ad.example.net > > > > So yes I will need an account with sufficient privilege to join AD > > > > Is there a way to talk to AD over a proxy. For our environment that will > > reduce number of firewall update request. > > I think you typically use read-only domain controllers (RODC) in a > network segment where the clients are for this. > > HTH > > bye, > Sumit > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Fri, 11 Jan 2019 at 16:03, <[email protected]> wrote: > > > > > >> > > >> > > >> On Fri, Jan 11, 2019 at 6:50 AM Sumit Bose <[email protected]> wrote: > > >> > > >>> On Wed, Jan 09, 2019 at 12:47:34PM -0500, [email protected] wrote: > > >>> > Looking for suggestion on ID mapping. > > >>> > > > >>> > I need to point to a ID provider over proxy > > >>> > > > >>> > I have not found a concrete solution or some hint about how to > setup a > > >>> > proxy to a ID provider and how sssd can point to that proxy for ID > > >>> mapping. > > >>> > > >>> Can you rephrase your question? 'ID provider over proxy' should like > you > > >>> want some more details about SSSD's proxy provider as described in > the > > >>> sssd.conf man page. But this is unrelated to what I associate > typically > > >>> with 'ID mapping'. Please give a bit more details about what you are > > >>> trying to achieve. > > >>> > > >>> > > >> I am looking for a ID mapping solution. I do see following providers. > > >> > > >> “proxy”: Support a legacy NSS provider. > > >> > > >> “local”: SSSD internal provider for local users > (DEPRECATED). > > >> > > >> “files”: FILES provider. See sssd-files(5) for more > > >> information on how to mirror local users and groups into SSSD. > > >> > > >> “ldap”: LDAP provider. See sssd-ldap(5) for more > information > > >> on configuring LDAP. > > >> > > >> “ipa”: FreeIPA and Red Hat Enterprise Identity Management > > >> provider. See sssd-ipa(5) for more information on > > >> configuring FreeIPA. > > >> > > >> “ad”: Active Directory provider. See sssd-ad(5) for more > > >> information on configuring Active Directory. > > >> > > >> I am looking for a suggestion. > > >> ad - won't work as we will not be provided Administrator > > >> password > > >> ldap - won't work as IT says not to use LDAP and use > kerberos > > >> instead for all things UNIX auth > > >> and to use /etc/passwd for id (yikes, we have 100s > of > > >> servers to manage) > > >> files - I am not sure how to have a central files for all > > >> accounts > > >> local - seems deprecated > > >> proxy - I am not sure how to set that up, but seems like > > >> easier for a central ID provider? > > >> > > >> Please advise > > >> > > >> > > >> > > >> > > >> > > >> > > >> > > >>> bye, > > >>> Sumit > > >>> > > >>> > > > >>> > All my servers are CentOS 7. > > >>> > > > >>> > > > >>> > -- > > >>> > Asif Iqbal > > >>> > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > > >>> > A: Because it messes up the order in which people normally read > text. > > >>> > Q: Why is top-posting such a bad thing? > > >>> > > >>> > _______________________________________________ > > >>> > sssd-users mailing list -- [email protected] > > >>> > To unsubscribe send an email to > > >>> [email protected] > > >>> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > >>> > List Guidelines: > > >>> https://fedoraproject.org/wiki/Mailing_list_guidelines > > >>> > List Archives: > > >>> > https://lists.fedorahosted.org/archives/list/[email protected] > > >>> _______________________________________________ > > >>> sssd-users mailing list -- [email protected] > > >>> To unsubscribe send an email to > [email protected] > > >>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > >>> List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > > >>> List Archives: > > >>> > https://lists.fedorahosted.org/archives/list/[email protected] > > >>> > > >> > > >> > > >> -- > > >> Asif Iqbal > > >> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > > >> A: Because it messes up the order in which people normally read text. > > >> Q: Why is top-posting such a bad thing? > > >> > > >> _______________________________________________ > > >> sssd-users mailing list -- [email protected] > > >> To unsubscribe send an email to > [email protected] > > >> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > >> List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > > >> List Archives: > > >> > https://lists.fedorahosted.org/archives/list/[email protected] > > >> > > > _______________________________________________ > > > sssd-users mailing list -- [email protected] > > > To unsubscribe send an email to > [email protected] > > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > List Archives: > > > > https://lists.fedorahosted.org/archives/list/[email protected] > > > > > > > > > -- > > Asif Iqbal > > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > > A: Because it messes up the order in which people normally read text. > > Q: Why is top-posting such a bad thing? > > > _______________________________________________ > > sssd-users mailing list -- [email protected] > > To unsubscribe send an email to [email protected] > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
