Testing new Ansible control node deployments.
Posts made by EddieJennings
-
RE: What Are You Doing Right Now
-
RE: What Are You Doing Right Now
Reading through the legalese of a work benefit.
-
RE: What Are You Doing Right Now
Being humbled as I test firewall rules on my home Edge Router Lite 3.
-
RE: sssd and user ID mapping
@Semicolon said in sssd and user ID mapping:
@EddieJennings we use a combination. We use the ids generated by sssd and automate the population of the AD attributes to align with them to ensure consistency. Where it comes in handy is when we have NFS mounts exported from an LDAP-aware NAS device. The NAS device doesn't natively understand the sssd mappings, and relies upon LDAP calls to find the accounts.
You can't really have a conflict, unless you were looking for a user and group to have the same number (which they can't with sssd, because it appends the principle's RID (padded to 5 digits). If you have a need to manually specify a UID/GID,, that would be for a local account, I presume. In those scenarios, we do create AD accounts that have manually defined UIDs that line up with the local user (always less than 1000) for the NAS appliance to find when evaluating access.
I'm curious. How do you gather the ids generated by sssd and populate them in to uidNumber and gidNumber attributes in AD?
-
RE: sssd and user ID mapping
@Pete-S
I use keys and use my Ansible control mode as a jump box
Lots of work left to tame the Wild West. This thread is just one many things to be done.
-
RE: sssd and user ID mapping
"Yes."
The people accessing these VMs are my team (admins) as well as various developers. The number of unique users is enough to where managing local accounts wouldn't make sense. Also, there's SSO involved with many of our company's resources and AD is basically the source of truth for that.
There's a good bit for me to think through, in particular if it's worth using FreeIPA / IdM for authentication for these VMs and have FreeIPA / IdM have a trust with AD, which as of right now the answer to that is "no, it's not worth it." Thus, likely what's going to happen is going to be using sssd to work directly with AD, which brings up the though of the best way of handling user and group IDs.
I'm not aware of any kind of native way to generate unique
uidnumber
andgidnumber
when creating an AD user; thus, I think the way to go will be just letting sssd handle ID mapping, but I was curious if there is a reason I'm not thinking of that would make sense to not have sssd handle ID mappings. -
sssd and user ID mapping
We are soon going to be using AD for authenticating users to our Linux VMs. Of the things to think through, one thing I'm considering how to handle UID/GID mapping. SSSD generates handles this by default using an algorithm to map AD SIDs to UIDs/GIDs. This in theory should keep UID/GID consistent as the user logs into different Linux VMs. However, you can disable this mapping and set some attributes in AD (
uidNumber
,gidNumber
, etc.).What would be a scenario where you would want to disable the sssd auto-ID mapping and set these attributes in AD? The only I can think of is when you want to specify the exact UID/GID that would be associated with a user or group, which would present the challenge of having to make sure you don't have ID conflicts.
-
RE: What Are You Doing Right Now
Just finished uploading a video of one of the Niehaus jazz etudes.
-
RE: What Are You Doing Right Now
Testing Ansible playbook for managing vCenter DRS group membership.
-
RE: Miscellaneous Tech News
@black3dynamite said in Miscellaneous Tech News:
https://ubuntu.com/blog/no-more-dhcpd
https://www.isc.org/blogs/isc-dhcp-eol/I saw the news about dhcpd a while ago. I haven't taken the time to mess with Kea yet. I suppose dhcpd will truly be dead when it's no longer in the RHEL repos
-
RE: What Are You Doing Right Now
Doing my periodic looking at Ubiquiti's website to see all of the EdgeMax stuff people would actually use continuing to not be in stock.
-
RE: What Are You Doing Right Now
@Obsolesce said in What Are You Doing Right Now:
@EddieJennings said in What Are You Doing Right Now:
Just finished successful upgrade of laptop to Fedora 38.
How is it?
The only gotcha was needing to uninstall and reinstall some qt5 stuff (for Musescore). All other aspects were smooth.
-
RE: What Are You Doing Right Now
Just finished successful upgrade of laptop to Fedora 38.
-
RE: Miscellaneous Tech News
@JaredBusch said in Miscellaneous Tech News:
Fedora 38 released a few days ago. Debating a clean install on my desktop instead of an upgrade.
I've tinkered with so much crap, I just want to start clean.
I often do a clean install for my daily driver laptop.
-
RE: What Are You Doing Right Now
@scottalanmiller said in What Are You Doing Right Now:
How is everyone today?
Doing well. Finally done with menial tasks so I can focus on Ansible for today.
-
RE: What Are You Doing Right Now
Download files to make an local Ubuntu repo mirror and watching the A's.
-
RE: What Are You Doing Right Now
Watching the A's while I try to get debmirror to work.
-
RE: What Are You Doing Right Now
@gjacobse said in What Are You Doing Right Now:
I’m about month five,.. thanks for that,.. feels good,.. o where near the stress or pressure,.
That’s how this job feels. I’m blessed with a good team and working with what I want (Linux and Ansible). Time flies when you’re having fun. Or rather, it feels like time is flying.
-
RE: What Are You Doing Right Now
@travisdh1 said in What Are You Doing Right Now:
@jt1001001 said in What Are You Doing Right Now:
Celebrating, if you will, 1 year at the new gig today
Congrats, I just had my 1 year at my job as well.
I'm about to finish month 4, but it feels like I've been at this job for a year.