On Wed, Jan 23, 2019 at 03:21:04PM -0500, [email protected] wrote: > Sumit, > > IT decides they won't let Linux server to join their domain. > > They offered another service/API for UID/GID lookup. > > Is there another way SSSD can do ID mapping and may be consume this other > service for UID/GID ? Every employee has a unique UID/GID in that service.
What kind of service/API is it? bye, Sumit > > > > > > On Wed, Jan 16, 2019 at 2:21 AM Sumit Bose <[email protected]> wrote: > > > On Tue, Jan 15, 2019 at 02:19:33PM -0500, [email protected] wrote: > > > On Sat, Jan 12, 2019 at 12:22 PM John Hearns <[email protected]> > > wrote: > > > > > > > Emmm.. Do you need the AD Administrator password? Why? > > > > > > > > > > I do not need that. I know that. > > > > > > > > > > > > > > If you need to join a Linux system to the AD domain you can ask the AD > > > > administratoe to do this. > > > > Or you can have a service account set up on AD which has the > > permissions > > > > to join to the domain. > > > > > > > > > > Right, that is what Sumit suggested as well > > > > > > # realm join -U vadud3 ad.example.net > > > Password for vadud3: > > > See: journalctl REALMD_OPERATION=r10925.4111 > > > realm: Couldn't join realm: Insufficient permissions to join the domain > > > ad.example.net > > > > > > # journalctl REALMD_OPERATION=r10925.4111 > > > -- Logs begin at Tue 2019-01-15 08:11:19 PST, end at Tue 2019-01-15 > > > 11:14:40 PST. -- > > > Jan 15 11:13:24 centos7 realmd[4114]: * Resolving: _ldap._ > > > tcp.ad.example.net > > > Jan 15 11:13:24 centos7 realmd[4114]: * Performing LDAP DSE lookup on: > > > 192.168.1.51 > > > Jan 15 11:13:25 centos7 realmd[4114]: * Successfully discovered: > > > ad.example.net > > > Jan 15 11:13:30 centos7 realmd[4114]: * Required files: > > /usr/sbin/oddjobd, > > > /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net > > > Jan 15 11:13:30 centos7 realmd[4114]: * LANG=C LOGNAME=root /usr/bin/net > > > -s /var/cache/realmd/realmd-smb-conf.CDOLVZ -U vadud3 ads join > > > ad.example.net > > > Jan 15 11:13:39 centos7 realmd[4114]: Enter vadud3's password: > > > Jan 15 11:13:39 centos7 realmd[4114]: Failed to join domain: User > > specified > > > does not have administrator privileges > > > Jan 15 11:13:39 centos7 realmd[4114]: ! Insufficient permissions to join > > > the domain ad.example.net > > > > > > So yes I will need an account with sufficient privilege to join AD > > > > > > Is there a way to talk to AD over a proxy. For our environment that will > > > reduce number of firewall update request. > > > > I think you typically use read-only domain controllers (RODC) in a > > network segment where the clients are for this. > > > > HTH > > > > bye, > > Sumit > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Fri, 11 Jan 2019 at 16:03, <[email protected]> wrote: > > > > > > > >> > > > >> > > > >> On Fri, Jan 11, 2019 at 6:50 AM Sumit Bose <[email protected]> wrote: > > > >> > > > >>> On Wed, Jan 09, 2019 at 12:47:34PM -0500, [email protected] wrote: > > > >>> > Looking for suggestion on ID mapping. > > > >>> > > > > >>> > I need to point to a ID provider over proxy > > > >>> > > > > >>> > I have not found a concrete solution or some hint about how to > > setup a > > > >>> > proxy to a ID provider and how sssd can point to that proxy for ID > > > >>> mapping. > > > >>> > > > >>> Can you rephrase your question? 'ID provider over proxy' should like > > you > > > >>> want some more details about SSSD's proxy provider as described in > > the > > > >>> sssd.conf man page. But this is unrelated to what I associate > > typically > > > >>> with 'ID mapping'. Please give a bit more details about what you are > > > >>> trying to achieve. > > > >>> > > > >>> > > > >> I am looking for a ID mapping solution. I do see following providers. > > > >> > > > >> “proxy”: Support a legacy NSS provider. > > > >> > > > >> “local”: SSSD internal provider for local users > > (DEPRECATED). > > > >> > > > >> “files”: FILES provider. See sssd-files(5) for more > > > >> information on how to mirror local users and groups into SSSD. > > > >> > > > >> “ldap”: LDAP provider. See sssd-ldap(5) for more > > information > > > >> on configuring LDAP. > > > >> > > > >> “ipa”: FreeIPA and Red Hat Enterprise Identity Management > > > >> provider. See sssd-ipa(5) for more information on > > > >> configuring FreeIPA. > > > >> > > > >> “ad”: Active Directory provider. See sssd-ad(5) for more > > > >> information on configuring Active Directory. > > > >> > > > >> I am looking for a suggestion. > > > >> ad - won't work as we will not be provided Administrator > > > >> password > > > >> ldap - won't work as IT says not to use LDAP and use > > kerberos > > > >> instead for all things UNIX auth > > > >> and to use /etc/passwd for id (yikes, we have 100s > > of > > > >> servers to manage) > > > >> files - I am not sure how to have a central files for all > > > >> accounts > > > >> local - seems deprecated > > > >> proxy - I am not sure how to set that up, but seems like > > > >> easier for a central ID provider? > > > >> > > > >> Please advise > > > >> > > > >> > > > >> > > > >> > > > >> > > > >> > > > >> > > > >>> bye, > > > >>> Sumit > > > >>> > > > >>> > > > > >>> > All my servers are CentOS 7. > > > >>> > > > > >>> > > > > >>> > -- > > > >>> > Asif Iqbal > > > >>> > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > > > >>> > A: Because it messes up the order in which people normally read > > text. > > > >>> > Q: Why is top-posting such a bad thing? > > > >>> > > > >>> > _______________________________________________ > > > >>> > sssd-users mailing list -- [email protected] > > > >>> > To unsubscribe send an email to > > > >>> [email protected] > > > >>> > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > > >>> > List Guidelines: > > > >>> https://fedoraproject.org/wiki/Mailing_list_guidelines > > > >>> > List Archives: > > > >>> > > https://lists.fedorahosted.org/archives/list/[email protected] > > > >>> _______________________________________________ > > > >>> sssd-users mailing list -- [email protected] > > > >>> To unsubscribe send an email to > > [email protected] > > > >>> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > > >>> List Guidelines: > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > >>> List Archives: > > > >>> > > https://lists.fedorahosted.org/archives/list/[email protected] > > > >>> > > > >> > > > >> > > > >> -- > > > >> Asif Iqbal > > > >> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > > > >> A: Because it messes up the order in which people normally read text. > > > >> Q: Why is top-posting such a bad thing? > > > >> > > > >> _______________________________________________ > > > >> sssd-users mailing list -- [email protected] > > > >> To unsubscribe send an email to > > [email protected] > > > >> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > > >> List Guidelines: > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > >> List Archives: > > > >> > > https://lists.fedorahosted.org/archives/list/[email protected] > > > >> > > > > _______________________________________________ > > > > sssd-users mailing list -- [email protected] > > > > To unsubscribe send an email to > > [email protected] > > > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > > > List Guidelines: > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > > List Archives: > > > > > > https://lists.fedorahosted.org/archives/list/[email protected] > > > > > > > > > > > > > -- > > > Asif Iqbal > > > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > > > A: Because it messes up the order in which people normally read text. > > > Q: Why is top-posting such a bad thing? > > > > > _______________________________________________ > > > sssd-users mailing list -- [email protected] > > > To unsubscribe send an email to [email protected] > > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > > List Archives: > > https://lists.fedorahosted.org/archives/list/[email protected] > > _______________________________________________ > > sssd-users mailing list -- [email protected] > > To unsubscribe send an email to [email protected] > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > > https://lists.fedorahosted.org/archives/list/[email protected] > > > > > -- > Asif Iqbal > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
