> On 18 May 2018, at 18:46, James Ralston <rals...@pobox.com> wrote: > > We have a small development Active Directory domain where we have > several RHEL7 hosts. > > We never extended our AD schema with the RFC2307 attributes > (uidNumber, gidNumber, et. al.). Instead, we just configured sssd > with ldap_id_mapping = true. It works fantastically well! > > BUT: now we need to add several RHEL5 hosts to the domain. > > The problem is that the RHEL5 version of sssd is 1.5.1, which is too > old to support ldap_id_mapping. > > We looked briefly at what would be required to backport a more recent > version of sssd to RHEL5, and quickly abandoned that idea: we would > have to update multiple core system libraries to more recent versions > as well. > > But we don't want to have to manually manage all accounts on the RHEL5 > hosts. That would be extraordinarily tedious and error-prone. > > We've kicked around a few ideas: > > 1. Add the RFC2307 attributes to Active Directory. Set the > (uidNumber, gidNumber) attributes by logging in to one of the RHEL7 > hosts and observing what values sssd has mapped. > > 2. On one of our RHEL7 hosts, create a list of passwd/group entries > for users/groups we care about, and then distribute that list of > users/groups to the RHEL5 hosts. > > We're leaning towards #1, because while it adds an additional step for > user/group creations in AD, it keeps all account management in AD, and > seems like the solution with the least amount of overhead. (Only a > handful of people need to be able to login to the RHEL5 systems, so we > could probably get away with only creating the (uidNumber, gidNumber) > attributes for the users/groups which need to be visible on those > systems. > > Does anyone have any other suggestions on how to wrangle both RHEL5 > and RHEL7 hosts with sssd?
Two other ideas: - SSSD 1.15 should work on RHEL-5 (although I haven’t tried that in a long time) albeit with some functionality, including the sssd-ad provider configured out. What you could use though is the ldap id_provider with id-mapping manually enabled. You would have to set the domain SID manually at least. - As long as you don’t care about the IDs being the same on RHEL-5 and RHEL-7 machines, maybe you could use winbind? > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/QAAK6X43XM6O43R6PPUE4FYXX4AXTZTU/ _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/sssd-users@lists.fedorahosted.org/message/A5MRYLHKLBQIOLL3HNQ7KF74VIRCNYYN/