#364 [RFE] Recognize trusted domains in AD provider

Created 7 years ago by sgallagh
Modified 3 months ago

This ticket changed its shape.
The CIFS client and server side tickets have been forked out as separate tickets.
https://fedorahosted.org/sssd/ticket/1534
https://fedorahosted.org/sssd/ticket/1573

The scope of this ticket is reduced to AD provider must support trusted domains in the similar way how ipa provider does it.

Fields changed

owner: somebody => sbose
status: new => assigned

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.2

Fields changed

milestone: SSSD 1.2 => SSSD 1.3

Fields changed

milestone: SSSD 1.3 => SSSD 2.0

I currently use 389, Samba 3, and sssd. Windows clients can interact with Samba/389 just fine. Linux clients can use sssd/389 just fine, too. However, if a Linux user wants to keep a Windows workstation as well, they have to use smbldap-tools, or Windows, to set the Samba password in the port389 database so that their password is in sync between the UNIX and NT worlds.

IMHO, the simplest way to have sssd interact with Samba is to mimic the functionality of the smbldap-passwd perl script. Then linux clients can change passwords with traditional tools.

Samba 4 will be a different beast (built-in LDAP) so there may need to be split bugs for Samba3/4. Currently RHEL and Fedora only ship Samba 3 binaries (the samba 4 packages are libraries only, no daemons/tools) so it would be nice, and should be trivial, to add simple password support for at least Samba 3.

cc: => mooninite
coverity: =>
upgrade: => 0

Fields changed

milestone: SSSD 2.0 => NEEDS_TRIAGE

This is the effort pzuna investing his time in at the moment.

milestone: NEEDS_TRIAGE => SSSD 1.7.0
owner: sbose => pzuna
status: assigned => new

Fields changed

component: Data Provider => Winbind Provider
patch: => 0

Fields changed

milestone: SSSD 1.7.0 => SSSD 1.6.0
summary: Implement Samba provider => Implement Winbind provider

Fields changed

milestone: SSSD 1.6.0 => SSSD 1.8.0

Fields changed

milestone: SSSD 1.8.0 => NEEDS_TRIAGE
rhbz: =>

Fields changed

milestone: NEEDS_TRIAGE => SSSD 1.8 AD Integration NEEDS TRIAGE

Fields changed

milestone: SSSD 1.8 AD Integration NEEDS TRIAGE => SSSD Deferred
owner: pzuna =>

Fields changed

rhbz: => 0

Fields changed

blockedby: =>
blocking: =>
component: Winbind Provider => AD Provider
description: Reach out to the Samba community and desing and implement the best solution for the SSSD and Samba integration. Requires research. => Reach out to the Samba community and desing and implement the best solution for the SSSD and Samba integration. Requires research.

There are several requirements in this area:
1) SSSD should be able to interoperate with CIFS client and provide enough info for it so that winbind is not needed any more
2) It should dynamically recognize trusted AD domains in AD provider

This is a major feature.
feature_milestone: =>
milestone: SSSD Deferred => Temp milestone
priority: minor => critical
proposed_priority: => Blocker
summary: Implement Winbind provider => [RFE] Winbind feature parity

Fields changed

rhbz: 0 => todo

Moving all the features planned for 1.10 release into 1.10 beta.

milestone: Temp milestone => SSSD 1.10 beta

Fields changed

priority: critical => blocker

Fields changed

description: Reach out to the Samba community and desing and implement the best solution for the SSSD and Samba integration. Requires research.

There are several requirements in this area:
1) SSSD should be able to interoperate with CIFS client and provide enough info for it so that winbind is not needed any more
2) It should dynamically recognize trusted AD domains in AD provider

This is a major feature. => This ticket changed its shape.
The CIFS client and server side tickets have been forked out as separate tickets.
https://fedorahosted.org/sssd/ticket/1534
https://fedorahosted.org/sssd/ticket/1573

The scope of this ticket is reduced to AD provider must support trusted domains in the similar way how ipa provider does it.
summary: [RFE] Winbind feature parity => [RFE] Recognize trusted domains in AD provider

Fields changed

design: =>
design_review: => 0
fedora_test_page: =>
selected: => Want

Fields changed

priority: blocker => critical

Fields changed

review: => 0

Fields changed

owner: => jhrozek
patch: 0 => 1
status: new => assigned

Fields changed

changelog: => If the SSSD client is joined to a Windows domain which is part of a forest, Global Catalog lookups should be able to resolve all users and groups in the forest and not only the ones from the joined domain.

  • master: 2a40ee7639baff182bb516d1e3d6effaf8e7619e

resolution: => fixed
status: assigned => closed

3 months ago

Metadata Update from @sgallagh:
- Issue assigned to jhrozek
- Issue set to the milestone: SSSD 1.10 beta

Login to comment on this ticket.

enhancement

AD Provider

1.0.0

0

Want

1

https://bugzilla.redhat.com/show_bug.cgi?id=969883

1

0

If the SSSD client is joined to a Windows domain which is part of a forest, Global Catalog lookups should be able to resolve all users and groups in the forest and not only the ones from the joined domain.

https://fedorahosted.org/sssd/wiki/DesignDocs/GlobalCatalogLookups

mooninite

cancel