Hello, We are trying to test sssd for our Linux environment. We are able to join the AD domain using `realm` and, with a few tweaks, can authenticate users and find groups. (when both user/groups are POSIX-compliant)
I was able to do group-based access with access_provider = simple simple_allow_groups = some_posix_ad_group_name Not all of our AD groups are POSIX-compliant; most are regular AD groups. I want to try to mimic the same group access behavior, but for non-posix groups. Meaning if a user is a member of a non-POSIX group, then allow access. Is this possible? This is how far ive gotten on my sssd.conf: [sssd] domains = mydomain.com, my_app_domain config_file_version = 2 services = nss, pam, ssh [domain/mydomain.com] ad_site = my-site-name default_shell = /bin/bash krb5_store_password_if_offline = True cache_credentials = True krb5_realm = MYDOMAIN.COM realmd_tags = manages-system joined-with-adcli id_provider = ad fallback_homedir = /home/%u ad_domain = mydomain.com use_fully_qualified_names = False ldap_id_mapping = False access_provider = ad shell_fallback = /bin/bash ldap_schema = ad ldap_search_base = OU=People,DC=mydomain,DC=com ldap_user_object_class = person ldap_user_name = SamAccountName ldap_user_uid_number = uidNumber ldap_user_gid_number = gidNumber ldap_user_home_directory = unixHomeDirectory ldap_user_shell = loginShell ldap_user_gecos = displayName ad_gpo_access_control = enforcing [application/my_app_domain] domain_type = application inherit_from = mydomain.com [pam] pam_app_services = non_posix_ad_group_name Any input is much appreciated! Best, Dave -- _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
