[ale] [EXTERNAL] Re: Any AD + SSSD expertise?

Jim Kinney jkinney at jimkinney.us
Thu Aug 31 22:45:28 EDT 2023 

Each user has a user private group. But for reasons based on antiquated methods, users are reassigned a primary group based on job function. So new users have to get their primary group changed. 

Again, due to antiquated methods, all groups are POSIX groups and nothing is organized in IdM using native groups for ease of management.

This is an entirely Linux setup. At a prior project, there was openldap that referred up to AD for passwords but groups were local to the ldap. I was lucky to not have to mess with that giant pile of custom hand-waving that crashed weekly. The full IPA setup with a kerberized cluster management was independent of AD on a separate cluster. That was mine.

On August 31, 2023 3:06:04 PM EDT, Allen Beddingfield via Ale <ale at ale.org> wrote:
>How do you handle the primary group issue?  Are you just letting the primary group of the user show up as "Domain Users", or were you able to find a way around that?
>Thanks.
>Allen B.
>
>--
>Allen Beddingfield
>Systems Engineer
>Office of Information Technology
>The University of Alabama
>Office 205-348-2251
>allen at ua.edu
>
>________________________________________
>From: Ale <ale-bounces at ale.org> on behalf of Jim Kinney via Ale <ale at ale.org>
>Sent: Thursday, August 31, 2023 2:04 PM
>To: Atlanta Linux Enthusiasts; Chuck Payne via Ale
>Cc: Jim Kinney
>Subject: [EXTERNAL] Re: [ale] Any AD + SSSD expertise?
>
>Um. Yeah you can use sssd on suse. It ships with it as that's how sles system connect to AD. You can't run IdM or freeipa on suse. But a suse system can be a client. Had to a painful pile of manual work to get keytabs in place for sssd user look up, but, yeah, I've got a pile of suse clients authenticating user activity with sssd connecting to multiple IdM servers.
>
>
>On August 31, 2023 2:04:36 PM EDT, Chuck Payne via Ale <ale at ale.org> wrote:
>As an IDM Admin, you can't use SSSD with SuSE. You are better off user Beyond Trust AD Bridge.
>
>On Thu, Aug 31, 2023 at 1:59 PM Allen Beddingfield via Ale <ale at ale.org<mailto:ale at ale.org>> wrote:
>So, we currently have our Linux systems using an old 389 Directory for authentication, and have to switch to AD authentication to retire that system.  I don't have any say in that matter, so authenticating to AD is the mandated solution that I have to get working.  Most of these systems are SUSE Linux Enterprise 15, with a few 12.x systems.
>I got the old sssd.conf and nsswitch.conf working for LDAP 10+ years ago, and really just haven't looked at it since, as it has worked without any issue.  I'm not wanting to go through the process of adding everything to AD, doing kerberos, etc....  so this will be SSSD using AD as an LDAP source for authentication.  I've got that part working well.  However, I've got one annoyance.  With the LDAP setup, the users would just kind of look like local users, in that their primary group would be the local "users" group.  (This is SUSE, so all users get the same primary group of "users", instead of an individual group that corresponds to their username).
>However, when configured against AD, the users' primary group is "Domain Users".  I'm trying to find some way to either duplicate the old behavior, or at least have "Domain Users" be something like "adusers" without the capital letters and space.  I saw a suggestion for functionality to implement the Red Hat style individual user groups, but that isn't really what I'm trying to accomplish.
>
>Anyone ever done this, or have any idea how to accomplish something like this?
>I asked ChatGPT, and got suggested some parameters for the config file that I think it just made up haha
>Allen B.
>
>--
>Allen Beddingfield
>Systems Engineer
>Office of Information Technology
>The University of Alabama
>Office 205-348-2251
>allen at ua.edu<mailto:allen at ua.edu>
>_______________________________________________
>Ale mailing list
>Ale at ale.org<mailto:Ale at ale.org>
>https://mail.ale.org/mailman/listinfo/ale
>See JOBS, ANNOUNCE and SCHOOLS lists at
>http://mail.ale.org/mailman/listinfo
>
>
>_______________________________________________
>Ale mailing list
>Ale at ale.org
>https://mail.ale.org/mailman/listinfo/ale
>See JOBS, ANNOUNCE and SCHOOLS lists at
>http://mail.ale.org/mailman/listinfo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.ale.org/pipermail/ale/attachments/20230831/fc71549c/attachment.htm>

More information about the Ale mailing list