#1033 [RFE] implement a script/tool joining to the Active Directory domain
Closed: Invalid None Opened 8 years ago by sgallagh.

https://bugzilla.redhat.com/show_bug.cgi?id=743509

Right now we have a script to join a machine to the IPA domain.
We should have a similar script to join a machine to Active Directory domain.
It should do the similar tasks - i.e.:
1. configure /etc/samba/smb.conf
2. net ads join (- just to get machine creds in /etc/krb5.keytab)
3. configure sssd.conf to have something like this:

ldap_search_base = <search base>
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
cache_credentials = True
ldap_sasl_authid = <hostname>$@<REALM>
dns_discovery_domain = <REALM>
krb5_realm = <REALM>
ldap_sasl_mech = GSSAPI
ldap_user_object_class = user
ldap_group_object_class = group
ldap_user_home_directory = unixHomeDirectory
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_schema = rfc2307bis

4. configure PAM modules for sssd
5. configure /etc/krb5.conf

Does it make any sense?

Fields changed

coverity: =>
description: https://bugzilla.redhat.com/show_bug.cgi?id=743509

{{{
Right now we have a script to join a machine to the IPA domain.
We should have a similar script to join a machine to Active Directory domain.
It should do the similar tasks - i.e.:
1. configure /etc/samba/smb.conf
2. net ads join (- just to get machine creds in /etc/krb5.keytab)
3. configure sssd.conf to have something like this:

ldap_search_base = <search base="">
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
cache_credentials = True
ldap_sasl_authid = <hostname>$@<realm>
dns_discovery_domain = <realm>
krb5_realm = <realm>
ldap_sasl_mech = GSSAPI
ldap_user_object_class = user
ldap_group_object_class = group
ldap_user_home_directory = unixHomeDirectory
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_schema = rfc2307bis

  1. configure PAM modules for sssd
  2. configure /etc/krb5.conf

Does it make any sense?
}}}
=> https://bugzilla.redhat.com/show_bug.cgi?id=743509

{{{
Right now we have a script to join a machine to the IPA domain.
We should have a similar script to join a machine to Active Directory domain.
It should do the similar tasks - i.e.:
1. configure /etc/samba/smb.conf
2. net ads join (- just to get machine creds in /etc/krb5.keytab)
3. configure sssd.conf to have something like this:

ldap_search_base = <search base="">
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
cache_credentials = True
ldap_sasl_authid = <hostname>$@<realm>
dns_discovery_domain = <realm>
krb5_realm = <realm>
ldap_sasl_mech = GSSAPI
ldap_user_object_class = user
ldap_group_object_class = group
ldap_user_home_directory = unixHomeDirectory
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_schema = rfc2307bis

  1. configure PAM modules for sssd
  2. configure /etc/krb5.conf

Does it make any sense?
}}}

milestone: NEEDS_TRIAGE => SSSD Deferred
patch: => 0
rhbz: =>
tests: => 0
testsupdated: => 0
upgrade: => 0

The proposed configuration is not enough. The biggest challenge is actual joining the AD domain and provisioning keys to the host (equivalent of the 'net join' command). This is now a part of the realmd project however it might make sense to pull some of the parts of the project into SSSD. This needs some further discussion. This is a critical piece of functionality for AD integration.

blockedby: =>
blocking: =>
description: https://bugzilla.redhat.com/show_bug.cgi?id=743509

{{{
Right now we have a script to join a machine to the IPA domain.
We should have a similar script to join a machine to Active Directory domain.
It should do the similar tasks - i.e.:
1. configure /etc/samba/smb.conf
2. net ads join (- just to get machine creds in /etc/krb5.keytab)
3. configure sssd.conf to have something like this:

ldap_search_base = <search base="">
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
cache_credentials = True
ldap_sasl_authid = <hostname>$@<realm>
dns_discovery_domain = <realm>
krb5_realm = <realm>
ldap_sasl_mech = GSSAPI
ldap_user_object_class = user
ldap_group_object_class = group
ldap_user_home_directory = unixHomeDirectory
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_schema = rfc2307bis

  1. configure PAM modules for sssd
  2. configure /etc/krb5.conf

Does it make any sense?
}}}
=> https://bugzilla.redhat.com/show_bug.cgi?id=743509

{{{
Right now we have a script to join a machine to the IPA domain.
We should have a similar script to join a machine to Active Directory domain.
It should do the similar tasks - i.e.:
1. configure /etc/samba/smb.conf
2. net ads join (- just to get machine creds in /etc/krb5.keytab)
3. configure sssd.conf to have something like this:

ldap_search_base = <search base="">
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
cache_credentials = True
ldap_sasl_authid = <hostname>$@<realm>
dns_discovery_domain = <realm>
krb5_realm = <realm>
ldap_sasl_mech = GSSAPI
ldap_user_object_class = user
ldap_group_object_class = group
ldap_user_home_directory = unixHomeDirectory
ldap_tls_cacertdir = /etc/openldap/cacerts
ldap_schema = rfc2307bis

  1. configure PAM modules for sssd
  2. configure /etc/krb5.conf

Does it make any sense?
}}}

feature_milestone: =>
milestone: SSSD Deferred => Temp milestone
priority: minor => critical
proposed_priority: => Blocker
summary: RFE: implement a script for joining to the Active Directory domain => RFE: implement a script/tool joining to the Active Directory domain

Fields changed

summary: RFE: implement a script/tool joining to the Active Directory domain => [RFE] implement a script/tool joining to the Active Directory domain

Moving all the features planned for 1.10 release into 1.10 beta.

milestone: Temp milestone => SSSD 1.10 beta

Fields changed

priority: critical => blocker

Fields changed

cc: => myllynen@redhat.com

Fields changed

design: =>
design_review: => 0
fedora_test_page: =>
selected: => Must

This will be handled by realmd.

resolution: => wontfix
status: new => closed

Metadata Update from @sgallagh:
- Issue set to the milestone: SSSD 1.10 beta

3 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/2075

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata