Adding AD User to a local linux group
1,707 views
Skip to first unread message
Chris Bidwell - NOAA Federal
Nov 14, 2022, 7:17:10 PM11/14/22
to ansible...@googlegroups.com
Hi all,
Is there a way to add an AD user to a local linux group? the user function doesn't work because it's only looking in /etc/passwd for this user.
David Logan
Nov 15, 2022, 12:39:30 AM11/15/22
to ansible...@googlegroups.com
Hi Chris,
I use PowerBroker to provide this sort of functionality. This auths to AD and when I show my groups at the command line, all AD and local groups are shown. PowerBroker has the AD user id and this can be added to the group in /etc/group.
What are you trying to do?
Regards
David
On Tue, 15 Nov 2022 at 09:47, 'Chris Bidwell - NOAA Federal' via Ansible Project <ansible...@googlegroups.com> wrote:
Hi all,Is there a way to add an AD user to a local linux group? the user function doesn't work because it's only looking in /etc/passwd for this user.
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAHKi8CgCE-AJQ0UH%2B4p5QPi%2BwN0zOi9SZ1jcWJsFZCGgM_CQqQ%40mail.gmail.com.
--
if in trouble, or in doubt
run in circles, scream and shout
run in circles, scream and shout
Rowe, Walter P. (Fed)
Nov 15, 2022, 7:17:07 AM11/15/22
to ansible...@googlegroups.com
Look at SSSD for joining your Linux machine to AD. We use it and find it very reliable. It also enables use of smart card for SSH logins if your public keys are populated in your AD user objects if you work in an environment that requires smart card login (2-factor).
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CA%2B8iFp7GLJ43hNcOqSvqXO05cMJKEcVVR-n1fubVe-H37xjcxg%40mail.gmail.com.
Rowe, Walter P. (Fed)
Nov 15, 2022, 7:23:06 AM11/15/22
to ansible...@googlegroups.com
I should add that your AD user objects need to have the POSIX attributes for UID and GID or Unix will not honor them.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/22DEC43D-F711-46C6-88C5-0EF6763EBAC8%40nist.gov.
Nico Kadel-Garcia
Nov 15, 2022, 8:18:09 PM11/15/22
to ansible...@googlegroups.com
On Tue, Nov 15, 2022 at 7:17 AM 'Rowe, Walter P. (Fed)' via Ansible
Project <ansible...@googlegroups.com> wrote:
>
> Look at SSSD for joining your Linux machine to AD. We use it and find it very reliable. It also enables use of smart card for SSH logins if your public keys are populated in your AD user objects if you work in an environment that requires smart card login (2-factor).
sssd has a lot of configuration issues and some very performance
Project <ansible...@googlegroups.com> wrote:
>
> Look at SSSD for joining your Linux machine to AD. We use it and find it very reliable. It also enables use of smart card for SSH logins if your public keys are populated in your AD user objects if you work in an environment that requires smart card login (2-factor).
issues. It works best with FreeIPA rather than Active Directory: it's
basically a Samba core with a FreeIPA body bolted on top of it, and it
does not scale to large AD environments. (Its insistence on
pre-caching the *entire* LDAP of the AD server and crashing if it
times out on that pre-load, is deadly for bulky, remote environments.)
For a very simple AD setup, it can work well. Be aware that it will
transform account names like "nkadel" in the "example.com" AD domain
to "nka...@domain.com", except when it doesn't, and the account
management can get pretty funky if you don't want to use the long form
all the time. Also be prepared to overload the 2048 maximum
line-length limit in /etc/group with such account names if you're not
cautious, and has to be dealt with that way unless you do
considerable extra work, in the sssd.conf and elsewhere in ways that
upgrades to sssd tend to erase. If you have to use it, be prepared to
spend time tuning the sssd itself with Ansible and managing
credentials with which to register the ansible target hosts in AD.
Nico Kadel-Garia
Email: nka...@gmail.com
Todd Lewis
Nov 15, 2022, 8:35:11 PM11/15/22
to ansible...@googlegroups.com
Interesting. None of that has been our experience, but then we only
have about 45,000 people in our AD.
David Logan
Nov 16, 2022, 12:38:08 AM11/16/22
to ansible...@googlegroups.com
I had issues with sssd and nested groups, basically it didn't work with nesting. This was some time ago so it may have been resolved. We have multiple domains and members from one or more that need to authenticate to a server so PowerBroker worked for us at the time and still does.
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/11e4ab9c-195c-af78-6a34-bfb8deb9c1e9%40gmail.com.
Rowe, Walter P. (Fed)
Nov 16, 2022, 7:16:02 AM11/16/22
to ansible...@googlegroups.com
We have nested groups and the GPO evaluation properly unrolls them for deep group membership evaluation. SSSD has come a long ways in the last three years. The developers are very responsive.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CA%2B8iFp6JJUq0x%2BDpumeLz0PGo4boXOB%2B2zg8ywNqVXt%2B_uum0Q%40mail.gmail.com.
Todd Lewis
Nov 16, 2022, 8:27:37 AM11/16/22
to Ansible Project
We do a lot of our group management - upstream from AD - using Grouper (https://incommon.org/software/grouper/). Being an academic institution, we have way too many tails for one (like an upstart AD) to suddenly sprout a dog. But none of that has complicated our success with SSSD on Linux, or provisioning with Ansible.
Reply all
Reply to author
Forward
0 new messages