On Thu, Jan 24, 2019 at 2:15 AM Sumit Bose <[email protected]> wrote: > On Wed, Jan 23, 2019 at 03:21:04PM -0500, [email protected] wrote: > > Sumit, > > > > IT decides they won't let Linux server to join their domain. > > > > They offered another service/API for UID/GID lookup. > > > > Is there another way SSSD can do ID mapping and may be consume this other > > service for UID/GID ? Every employee has a unique UID/GID in that > service. > > What kind of service/API is it? >
I am still for an answer from IT. But I went to their resource and did a lookup over browser for a cuid and it gave me back a table with a unique UID and GID If I can consume that through an API and query username and get UID/GID, is there a SSSD can make the same call to generate UID/GID for linux? > > bye, > Sumit > > > > > > > > > > > > > On Wed, Jan 16, 2019 at 2:21 AM Sumit Bose <[email protected]> wrote: > > > > > On Tue, Jan 15, 2019 at 02:19:33PM -0500, [email protected] wrote: > > > > On Sat, Jan 12, 2019 at 12:22 PM John Hearns <[email protected] > > > > > wrote: > > > > > > > > > Emmm.. Do you need the AD Administrator password? Why? > > > > > > > > > > > > > I do not need that. I know that. > > > > > > > > > > > > > > > > > > If you need to join a Linux system to the AD domain you can ask > the AD > > > > > administratoe to do this. > > > > > Or you can have a service account set up on AD which has the > > > permissions > > > > > to join to the domain. > > > > > > > > > > > > > Right, that is what Sumit suggested as well > > > > > > > > # realm join -U vadud3 ad.example.net > > > > Password for vadud3: > > > > See: journalctl REALMD_OPERATION=r10925.4111 > > > > realm: Couldn't join realm: Insufficient permissions to join the > domain > > > > ad.example.net > > > > > > > > # journalctl REALMD_OPERATION=r10925.4111 > > > > -- Logs begin at Tue 2019-01-15 08:11:19 PST, end at Tue 2019-01-15 > > > > 11:14:40 PST. -- > > > > Jan 15 11:13:24 centos7 realmd[4114]: * Resolving: _ldap._ > > > > tcp.ad.example.net > > > > Jan 15 11:13:24 centos7 realmd[4114]: * Performing LDAP DSE lookup > on: > > > > 192.168.1.51 > > > > Jan 15 11:13:25 centos7 realmd[4114]: * Successfully discovered: > > > > ad.example.net > > > > Jan 15 11:13:30 centos7 realmd[4114]: * Required files: > > > /usr/sbin/oddjobd, > > > > /usr/libexec/oddjob/mkhomedir, /usr/sbin/sssd, /usr/bin/net > > > > Jan 15 11:13:30 centos7 realmd[4114]: * LANG=C LOGNAME=root > /usr/bin/net > > > > -s /var/cache/realmd/realmd-smb-conf.CDOLVZ -U vadud3 ads join > > > > ad.example.net > > > > Jan 15 11:13:39 centos7 realmd[4114]: Enter vadud3's password: > > > > Jan 15 11:13:39 centos7 realmd[4114]: Failed to join domain: User > > > specified > > > > does not have administrator privileges > > > > Jan 15 11:13:39 centos7 realmd[4114]: ! Insufficient permissions to > join > > > > the domain ad.example.net > > > > > > > > So yes I will need an account with sufficient privilege to join AD > > > > > > > > Is there a way to talk to AD over a proxy. For our environment that > will > > > > reduce number of firewall update request. > > > > > > I think you typically use read-only domain controllers (RODC) in a > > > network segment where the clients are for this. > > > > > > HTH > > > > > > bye, > > > Sumit > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Fri, 11 Jan 2019 at 16:03, <[email protected]> wrote: > > > > > > > > > >> > > > > >> > > > > >> On Fri, Jan 11, 2019 at 6:50 AM Sumit Bose <[email protected]> > wrote: > > > > >> > > > > >>> On Wed, Jan 09, 2019 at 12:47:34PM -0500, [email protected] > wrote: > > > > >>> > Looking for suggestion on ID mapping. > > > > >>> > > > > > >>> > I need to point to a ID provider over proxy > > > > >>> > > > > > >>> > I have not found a concrete solution or some hint about how to > > > setup a > > > > >>> > proxy to a ID provider and how sssd can point to that proxy > for ID > > > > >>> mapping. > > > > >>> > > > > >>> Can you rephrase your question? 'ID provider over proxy' should > like > > > you > > > > >>> want some more details about SSSD's proxy provider as described > in > > > the > > > > >>> sssd.conf man page. But this is unrelated to what I associate > > > typically > > > > >>> with 'ID mapping'. Please give a bit more details about what you > are > > > > >>> trying to achieve. > > > > >>> > > > > >>> > > > > >> I am looking for a ID mapping solution. I do see following > providers. > > > > >> > > > > >> “proxy”: Support a legacy NSS provider. > > > > >> > > > > >> “local”: SSSD internal provider for local users > > > (DEPRECATED). > > > > >> > > > > >> “files”: FILES provider. See sssd-files(5) for more > > > > >> information on how to mirror local users and groups into SSSD. > > > > >> > > > > >> “ldap”: LDAP provider. See sssd-ldap(5) for more > > > information > > > > >> on configuring LDAP. > > > > >> > > > > >> “ipa”: FreeIPA and Red Hat Enterprise Identity > Management > > > > >> provider. See sssd-ipa(5) for more information on > > > > >> configuring FreeIPA. > > > > >> > > > > >> “ad”: Active Directory provider. See sssd-ad(5) for > more > > > > >> information on configuring Active Directory. > > > > >> > > > > >> I am looking for a suggestion. > > > > >> ad - won't work as we will not be provided > Administrator > > > > >> password > > > > >> ldap - won't work as IT says not to use LDAP and use > > > kerberos > > > > >> instead for all things UNIX auth > > > > >> and to use /etc/passwd for id (yikes, we have > 100s > > > of > > > > >> servers to manage) > > > > >> files - I am not sure how to have a central files for > all > > > > >> accounts > > > > >> local - seems deprecated > > > > >> proxy - I am not sure how to set that up, but seems > like > > > > >> easier for a central ID provider? > > > > >> > > > > >> Please advise > > > > >> > > > > >> > > > > >> > > > > >> > > > > >> > > > > >> > > > > >> > > > > >>> bye, > > > > >>> Sumit > > > > >>> > > > > >>> > > > > > >>> > All my servers are CentOS 7. > > > > >>> > > > > > >>> > > > > > >>> > -- > > > > >>> > Asif Iqbal > > > > >>> > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > > > > >>> > A: Because it messes up the order in which people normally read > > > text. > > > > >>> > Q: Why is top-posting such a bad thing? > > > > >>> > > > > >>> > _______________________________________________ > > > > >>> > sssd-users mailing list -- [email protected] > > > > >>> > To unsubscribe send an email to > > > > >>> [email protected] > > > > >>> > Fedora Code of Conduct: > https://getfedora.org/code-of-conduct.html > > > > >>> > List Guidelines: > > > > >>> https://fedoraproject.org/wiki/Mailing_list_guidelines > > > > >>> > List Archives: > > > > >>> > > > > https://lists.fedorahosted.org/archives/list/[email protected] > > > > >>> _______________________________________________ > > > > >>> sssd-users mailing list -- [email protected] > > > > >>> To unsubscribe send an email to > > > [email protected] > > > > >>> Fedora Code of Conduct: > https://getfedora.org/code-of-conduct.html > > > > >>> List Guidelines: > > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > > >>> List Archives: > > > > >>> > > > > https://lists.fedorahosted.org/archives/list/[email protected] > > > > >>> > > > > >> > > > > >> > > > > >> -- > > > > >> Asif Iqbal > > > > >> PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > > > > >> A: Because it messes up the order in which people normally read > text. > > > > >> Q: Why is top-posting such a bad thing? > > > > >> > > > > >> _______________________________________________ > > > > >> sssd-users mailing list -- [email protected] > > > > >> To unsubscribe send an email to > > > [email protected] > > > > >> Fedora Code of Conduct: > https://getfedora.org/code-of-conduct.html > > > > >> List Guidelines: > > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > > >> List Archives: > > > > >> > > > > https://lists.fedorahosted.org/archives/list/[email protected] > > > > >> > > > > > _______________________________________________ > > > > > sssd-users mailing list -- [email protected] > > > > > To unsubscribe send an email to > > > [email protected] > > > > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > > > > List Guidelines: > > > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > > > List Archives: > > > > > > > > > https://lists.fedorahosted.org/archives/list/[email protected] > > > > > > > > > > > > > > > > > -- > > > > Asif Iqbal > > > > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > > > > A: Because it messes up the order in which people normally read text. > > > > Q: Why is top-posting such a bad thing? > > > > > > > _______________________________________________ > > > > sssd-users mailing list -- [email protected] > > > > To unsubscribe send an email to > [email protected] > > > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > > > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > > List Archives: > > > > https://lists.fedorahosted.org/archives/list/[email protected] > > > _______________________________________________ > > > sssd-users mailing list -- [email protected] > > > To unsubscribe send an email to > [email protected] > > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > > > List Archives: > > > > https://lists.fedorahosted.org/archives/list/[email protected] > > > > > > > > > -- > > Asif Iqbal > > PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu > > A: Because it messes up the order in which people normally read text. > > Q: Why is top-posting such a bad thing? > > > _______________________________________________ > > sssd-users mailing list -- [email protected] > > To unsubscribe send an email to [email protected] > > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > -- Asif Iqbal PGP Key: 0xE62693C5 KeyServer: pgp.mit.edu A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing?
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
