[ale] Any AD + SSSD expertise?

Jeremy T. Bouse jeremy.bouse at undergrid.net
Thu Aug 31 14:04:22 EDT 2023


One initial question that might determine if it's going to be extremely
difficult is whether or not that old config was using the dynamic UID/GID
mapping based on the SID or whether you had added those to the user/group
DNs. We're in the process of moving systems as we rebuild the environment
to use SSSD and we're using AD but we're planning to have a subdomain for
the Linux systems to keep them separate from the Windows systems.

On Thu, Aug 31, 2023 at 1:59 PM Allen Beddingfield via Ale <ale at ale.org>
wrote:

> So, we currently have our Linux systems using an old 389 Directory for
> authentication, and have to switch to AD authentication to retire that
> system.  I don't have any say in that matter, so authenticating to AD is
> the mandated solution that I have to get working.  Most of these systems
> are SUSE Linux Enterprise 15, with a few 12.x systems.
> I got the old sssd.conf and nsswitch.conf working for LDAP 10+ years ago,
> and really just haven't looked at it since, as it has worked without any
> issue.  I'm not wanting to go through the process of adding everything to
> AD, doing kerberos, etc....  so this will be SSSD using AD as an LDAP
> source for authentication.  I've got that part working well.  However, I've
> got one annoyance.  With the LDAP setup, the users would just kind of look
> like local users, in that their primary group would be the local "users"
> group.  (This is SUSE, so all users get the same primary group of "users",
> instead of an individual group that corresponds to their username).
> However, when configured against AD, the users' primary group is "Domain
> Users".  I'm trying to find some way to either duplicate the old behavior,
> or at least have "Domain Users" be something like "adusers" without the
> capital letters and space.  I saw a suggestion for functionality to
> implement the Red Hat style individual user groups, but that isn't really
> what I'm trying to accomplish.
>
> Anyone ever done this, or have any idea how to accomplish something like
> this?
> I asked ChatGPT, and got suggested some parameters for the config file
> that I think it just made up haha
> Allen B.
>
> --
> Allen Beddingfield
> Systems Engineer
> Office of Information Technology
> The University of Alabama
> Office 205-348-2251
> allen at ua.edu
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> https://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>


-- 

Jeremy T. Bouse

Sr. DevOps Engineer

321.525.3280

UnderGrid.net <https://undergrid.net/>

<https://www.credly.com/badges/69208741-17c8-4876-a5c0-bcaa9078ba29>
<https://www.credly.com/badges/8613a442-3830-42c9-a629-8e1576dfec5e>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.ale.org/pipermail/ale/attachments/20230831/ed6191f8/attachment.htm>


More information about the Ale mailing list