[prev in list] [next in list] [prev in thread] [next in thread] 

List:       sssd-users
Subject:    =?utf-8?q?=5BSSSD-users=5D?= Re: RFC2307bis and partially configured Active Directory Domains
From:       John Beranek <john () redux ! org ! uk>
Date:       2017-02-19 13:38:35
Message-ID: CAHfGhcKWxgE9oYrNmbw7nyA1j4sAQfPJ9yF+LuYVYLKsqhD=Cw () mail ! gmail ! com
[Download RAW message or body]

On 9 February 2017 at 19:06,  <smfrench@gmail.com> wrote:
> One of the more common cases for sssd (or winbind) with RFC2307 seems to be getting \
> uids/gids from Active Directory domains, but few Active Directories have all of \
> their users/groups configured for the POSIX uid/gid. 
> How can you configure sssd behavior for this common case (among the three behaviors \
> that might be desired): 
> 1) query AD for the Unix uid/gid and fail if that particular user is not configured \
> with a uid (this seems to be what sss always does and isn't really practical given \
> how unlikely that AD is configured perfectly for unix uids)

FWIW, my company found 1) pretty practical, as I wrote a pretty short
bit of Powershell which looks through AD for users and groups without
POSIX attributes, and sets them (UID/GID becomes the user's RID + a
static offset). This script runs every hour, and means all AD users
and groups have POSIX attributes.

Cheers,

John

-- 
John Beranek                         To generalise is to be an idiot.
http://redux.org.uk/                                 -- William Blake
_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org


[prev in list] [next in list] [prev in thread] [next in thread]