Hi, On Thu, Nov 20, 2025 at 3:41 PM dave via sssd-users < [email protected]> wrote:
> Hello, > > We are trying to test sssd for our Linux environment. > We are able to join the AD domain using `realm` and, with a few tweaks, > can authenticate users and find groups. (when both user/groups are > POSIX-compliant) > > I was able to do group-based access with > access_provider = simple > simple_allow_groups = some_posix_ad_group_name > > Not all of our AD groups are POSIX-compliant; most are regular AD groups. > > I want to try to mimic the same group access behavior, but for non-posix > groups. Meaning if a user is a member of a non-POSIX group, then allow > access. > Is this possible? > Is this important for you to preserve existing POSIX attributes? If not then you can consider using 'ldap_id_mapping = true' so that *all* users/groups will get a new ID assigned. > > This is how far ive gotten on my sssd.conf: > > [sssd] > domains = mydomain.com, my_app_domain > config_file_version = 2 > services = nss, pam, ssh > [domain/mydomain.com] > ad_site = my-site-name > default_shell = /bin/bash > krb5_store_password_if_offline = True > cache_credentials = True > krb5_realm = MYDOMAIN.COM > realmd_tags = manages-system joined-with-adcli > id_provider = ad > fallback_homedir = /home/%u > ad_domain = mydomain.com > use_fully_qualified_names = False > ldap_id_mapping = False > access_provider = ad > shell_fallback = /bin/bash > ldap_schema = ad > ldap_search_base = OU=People,DC=mydomain,DC=com > ldap_user_object_class = person > ldap_user_name = SamAccountName > ldap_user_uid_number = uidNumber > ldap_user_gid_number = gidNumber > ldap_user_home_directory = unixHomeDirectory > ldap_user_shell = loginShell > ldap_user_gecos = displayName > ad_gpo_access_control = enforcing > [application/my_app_domain] > domain_type = application > inherit_from = mydomain.com > [pam] > pam_app_services = non_posix_ad_group_name > > Any input is much appreciated! > > Best, > Dave > -- > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
