Re: [SSSD] user and group precedence issue

2012-03-14 Thread Olivier
Thanks ! To summary, I know now that I will definitlly need to maintain a DIT branch in my ldap server as an additional source of reference for sysaccounts if I want to be able to include them in centralized posixgroups ... ... I have tried (-: Thanks for your time ! --- Olivier 2012/3/14 Si

Re: [SSSD] user and group precedence issue

2012-03-14 Thread Dmitri Pal
On 03/14/2012 06:27 PM, Simo Sorce wrote: > On Wed, 2012-03-14 at 18:00 -0400, Stephen Gallagher wrote: >> On Wed, 2012-03-14 at 16:36 -0400, Simo Sorce wrote: >>> On Wed, 2012-03-14 at 21:17 +0100, Olivier wrote: Ok, I see the logic now ( although I'm not completely convinced from a prac

Re: [SSSD] user and group precedence issue

2012-03-14 Thread Simo Sorce
On Wed, 2012-03-14 at 18:00 -0400, Stephen Gallagher wrote: > On Wed, 2012-03-14 at 16:36 -0400, Simo Sorce wrote: > > On Wed, 2012-03-14 at 21:17 +0100, Olivier wrote: > > > Ok, I see the logic now ( although I'm not completely > > > convinced from a practical point of view to be honnest : > > > a

Re: [SSSD] user and group precedence issue

2012-03-14 Thread Stephen Gallagher
On Wed, 2012-03-14 at 16:36 -0400, Simo Sorce wrote: > On Wed, 2012-03-14 at 21:17 +0100, Olivier wrote: > > Ok, I see the logic now ( although I'm not completely > > convinced from a practical point of view to be honnest : > > a user name could be defined somewhere else, in a > > referal ldap for

Re: [SSSD] user and group precedence issue

2012-03-14 Thread Simo Sorce
On Wed, 2012-03-14 at 21:17 +0100, Olivier wrote: > Ok, I see the logic now ( although I'm not completely > convinced from a practical point of view to be honnest : > a user name could be defined somewhere else, in a > referal ldap for example. In that case, should it be an > overall group consiste

[SSSD] user and group precedence issue

2012-03-14 Thread Olivier
> (without the n :-) Ooops :) > sssd cares only about what exists in ldap to date. Ooops again > If you look at the ldap tree on its own you see an > "unknown" user name as member of a group. Ok, I see the logic now ( although I'm not completely convinced from a practical point of view to be h

Re: [SSSD] user and group precedence issue

2012-03-14 Thread Simo Sorce
On Wed, 2012-03-14 at 19:51 +0100, Olivier wrote: > Simon, (without the n :-) > that's where I don't catch ( sorry) : > > > You are asking it to know about "unknown" users > > If you say in nsswitch.conf : > > passwd: local sss > group: sss local > > Then sss should know about users that are

Re: [SSSD] user and group precedence issue

2012-03-14 Thread Olivier
Simon, that's where I don't catch ( sorry) : > You are asking it to know about "unknown" users If you say in nsswitch.conf : passwd: local sss group: sss local Then sss should know about users that are in local /etc/passwd and may retrieve their groups in ldap ? Why would that be inconsistent

Re: [SSSD] [PATCH] LDAP: Add AD 2008r2 schema

2012-03-14 Thread Stephen Gallagher
On Wed, 2012-03-14 at 10:42 +0100, Jan Zelený wrote: > > On Tue, 2012-03-13 at 16:21 +0100, Jan Zelený wrote: > > > > Fixes https://fedorahosted.org/sssd/ticket/1031 > > > > > > > > This patch creates a set of schema defaults that corresponds to Active > > > > Directory 2008r2. It can be set up si

Re: [SSSD] user and group precedence issue

2012-03-14 Thread Simo Sorce
On Wed, 2012-03-14 at 17:13 +0100, Olivier wrote: > Thanks Simon, > > that's what I will do as a first approx I think, > however I'm not sure that this will meet my > need : > > 1- there are some sysacounts that I need on >certain machines (linked for example to specific >applications ins

[SSSD] user and group precedence issue

2012-03-14 Thread Olivier
Sorry for multiple posts : https://fedorahosted.org/sssd/ticket/1020#comment:9 Hope that will help --- Olivier 2012/3/14 Olivier : > Thanks Stephen, ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinf

Re: [SSSD] user and group precedence issue

2012-03-14 Thread Olivier
Thanks Simon, that's what I will do as a first approx I think, however I'm not sure that this will meet my need : 1- there are some sysacounts that I need on certain machines (linked for example to specific applications installed on them) that I wouldn't like to be accessible or even vis

Re: [SSSD] user and group precedence issue

2012-03-14 Thread Olivier Guillard
https://fedorahosted.org/sssd/ticket/1020#comment:9 Hope that will help --- Olivier 2012/3/14 Olivier : > Thanks Stephen, ___ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://fedorahosted.org/mailman/listinfo/sssd-devel

Re: [SSSD] user and group precedence issue

2012-03-14 Thread Simo Sorce
On Wed, 2012-03-14 at 14:35 +0100, Olivier wrote: > Thanks Stephen, > > > https://fedorahosted.org/sssd/ticket/1020 > > May I add an additional information to the description, > this is a test that I have done and that may help to deal > with this ticket : > > If user entry is locally configured

Re: [SSSD] user and group precedence issue

2012-03-14 Thread Stephen Gallagher
On Wed, 2012-03-14 at 14:35 +0100, Olivier wrote: > Thanks Stephen, > > > https://fedorahosted.org/sssd/ticket/1020 > > May I add an additional information to the description, Please add this information to the ticket. You can create an account at https://admin.fedoraproject.org/accounts for fre

Re: [SSSD] user and group precedence issue

2012-03-14 Thread Olivier
Thanks Stephen, > https://fedorahosted.org/sssd/ticket/1020 May I add an additional information to the description, this is a test that I have done and that may help to deal with this ticket : If user entry is locally configured /etc/passwd with an ldap posixgroup reference its primary group, t

Re: [SSSD] user and group precedence issue

2012-03-14 Thread Stephen Gallagher
On Wed, 2012-03-14 at 13:55 +0100, Olivier wrote: > Hello, > > I have configure redhat (6 and 5) boxes to authenticate users > over an openldap server via sssd. I have implemented a policy > so that "Systems" accounts ( uid > 500 ) are not in ldap but > authentified over local password db. > > My

[SSSD] SSSD Crypto Support

2012-03-14 Thread Stephen Gallagher
SSSD is designed to have support for multiple cryptography libraries. Originally we build in support for both Mozilla NSS and libcrypto. However, over the last several releases, libcrypto support has fallen by the wayside and there is now a notable feature disparity between versions of SSSD built a

[SSSD] user and group precedence issue

2012-03-14 Thread Olivier
Hello, I have configure redhat (6 and 5) boxes to authenticate users over an openldap server via sssd. I have implemented a policy so that "Systems" accounts ( uid > 500 ) are not in ldap but authentified over local password db. My ldap directory also contains posixgroups that I use to tune some

[SSSD] [PATCHES] SSH: Do reverse DNS lookup of host addresses

2012-03-14 Thread Jan Cholasta
Hi, the attached patches fix and also do some refactoring: [PATCH 1/2] SSH: Allow clients to explicitly specify host alias This change removes the need to canonicalize host names on the responder side - the relevant code was removed. [PATCH 2/2]

Re: [SSSD] [PATCH] LDAP: Add AD 2008r2 schema

2012-03-14 Thread Jan Zelený
> On Tue, 2012-03-13 at 16:21 +0100, Jan Zelený wrote: > > > Fixes https://fedorahosted.org/sssd/ticket/1031 > > > > > > This patch creates a set of schema defaults that corresponds to Active > > > Directory 2008r2. It can be set up simply by specifying > > > ldap_schema = AD > > > > > > Operatio