#1033 [RFE] implement a script/tool joining to the Active Directory domain
Closed: Invalid None Opened 7 years ago by sgallagh.

https://bugzilla.redhat.com/show_bug.cgi?id=743509

Right now we have a script to join a machine to the IPA domain.
We should have a similar script to join a machine to Active Directory domain.
It should do the similar tasks - i.e.:
1. configure /etc/samba/smb.conf
2. net ads join (- just to get machine creds in /etc/krb5.keytab)
3. configure sssd.conf to have something like this:

ldap_search_base = <search base>
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
cache_credentials = True
ldap_sasl_authid = <hostname>$@<REALM>
dns_discovery_domain = <REALM>
krb5_realm = <REALM>
ldap_sasl_mech = GSSAPI
ldap_user_object_class = user
ldap_group_object_class = group
ldap_user_home_directory = unixHomeDirectory
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_schema = rfc2307bis

4. configure PAM modules for sssd
5. configure /etc/krb5.conf

Does it make any sense?

Fields changed

coverity: =>
description: https://bugzilla.redhat.com/show_bug.cgi?id=743509

{{{
Right now we have a script to join a machine to the IPA domain.
We should have a similar script to join a machine to Active Directory domain.
It should do the similar tasks - i.e.:
1. configure /etc/samba/smb.conf
2. net ads join (- just to get machine creds in /etc/krb5.keytab)
3. configure sssd.conf to have something like this:

ldap_search_base = <search base="">
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
cache_credentials = True
ldap_sasl_authid = <hostname>$@<realm>
dns_discovery_domain = <realm>
krb5_realm = <realm>
ldap_sasl_mech = GSSAPI
ldap_user_object_class = user
ldap_group_object_class = group
ldap_user_home_directory = unixHomeDirectory
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_schema = rfc2307bis

  1. configure PAM modules for sssd
  2. configure /etc/krb5.conf

Does it make any sense?
}}}
=> https://bugzilla.redhat.com/show_bug.cgi?id=743509

{{{
Right now we have a script to join a machine to the IPA domain.
We should have a similar script to join a machine to Active Directory domain.
It should do the similar tasks - i.e.:
1. configure /etc/samba/smb.conf
2. net ads join (- just to get machine creds in /etc/krb5.keytab)
3. configure sssd.conf to have something like this:

ldap_search_base = <search base="">
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
cache_credentials = True
ldap_sasl_authid = <hostname>$@<realm>
dns_discovery_domain = <realm>
krb5_realm = <realm>
ldap_sasl_mech = GSSAPI
ldap_user_object_class = user
ldap_group_object_class = group
ldap_user_home_directory = unixHomeDirectory
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_schema = rfc2307bis

  1. configure PAM modules for sssd
  2. configure /etc/krb5.conf

Does it make any sense?
}}}

milestone: NEEDS_TRIAGE => SSSD Deferred
patch: => 0
rhbz: =>
tests: => 0
testsupdated: => 0
upgrade: => 0

The proposed configuration is not enough. The biggest challenge is actual joining the AD domain and provisioning keys to the host (equivalent of the 'net join' command). This is now a part of the realmd project however it might make sense to pull some of the parts of the project into SSSD. This needs some further discussion. This is a critical piece of functionality for AD integration.

blockedby: =>
blocking: =>
description: https://bugzilla.redhat.com/show_bug.cgi?id=743509

{{{
Right now we have a script to join a machine to the IPA domain.
We should have a similar script to join a machine to Active Directory domain.
It should do the similar tasks - i.e.:
1. configure /etc/samba/smb.conf
2. net ads join (- just to get machine creds in /etc/krb5.keytab)
3. configure sssd.conf to have something like this:

ldap_search_base = <search base="">
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
cache_credentials = True
ldap_sasl_authid = <hostname>$@<realm>
dns_discovery_domain = <realm>
krb5_realm = <realm>
ldap_sasl_mech = GSSAPI
ldap_user_object_class = user
ldap_group_object_class = group
ldap_user_home_directory = unixHomeDirectory
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_schema = rfc2307bis

  1. configure PAM modules for sssd
  2. configure /etc/krb5.conf

Does it make any sense?
}}}
=> https://bugzilla.redhat.com/show_bug.cgi?id=743509

{{{
Right now we have a script to join a machine to the IPA domain.
We should have a similar script to join a machine to Active Directory domain.
It should do the similar tasks - i.e.:
1. configure /etc/samba/smb.conf
2. net ads join (- just to get machine creds in /etc/krb5.keytab)
3. configure sssd.conf to have something like this:

ldap_search_base = <search base="">
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
cache_credentials = True
ldap_sasl_authid = <hostname>$@<realm>
dns_discovery_domain = <realm>
krb5_realm = <realm>
ldap_sasl_mech = GSSAPI
ldap_user_object_class = user
ldap_group_object_class = group
ldap_user_home_directory = unixHomeDirectory
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_schema = rfc2307bis

  1. configure PAM modules for sssd
  2. configure /etc/krb5.conf

Does it make any sense?
}}}

feature_milestone: =>
milestone: SSSD Deferred => Temp milestone
priority: minor => critical
proposed_priority: => Blocker
summary: RFE: implement a script for joining to the Active Directory domain => RFE: implement a script/tool joining to the Active Directory domain

Fields changed

summary: RFE: implement a script/tool joining to the Active Directory domain => [RFE] implement a script/tool joining to the Active Directory domain

Moving all the features planned for 1.10 release into 1.10 beta.

milestone: Temp milestone => SSSD 1.10 beta

Fields changed

priority: critical => blocker

Fields changed

cc: => myllynen@redhat.com

Fields changed

design: =>
design_review: => 0
fedora_test_page: =>
selected: => Must

This will be handled by realmd.

resolution: => wontfix
status: new => closed

Metadata Update from @sgallagh:
- Issue set to the milestone: SSSD 1.10 beta

2 years ago

Login to comment on this ticket.

Metadata