On Thu, 2016-04-21 at 15:40 +1000, John Gardeniers wrote:> Good news, I now have this working. Once I finish writing my notes > I'll > make them available to whoever might want them. Just to clarify > things a > bit, here is what we have and what we wanted: > > * Linux users are authenticated by the Samba 4 domain controllers via > SSSD, which itself uses LDAP. > * As we are a development house, we have a rather complex set of > users/groups/permissions on the numerous servers. We wanted to manage > this centrally via Active Directory, without touching the sudoers > file > on the Linux side. > * As of now, on a test domain which is functionally a replica of our > production domain, we are able to manage sudo permissions on our AD > users and groups via a combination of ADSI Edit and ADUC. > > ADSI Edit is used only to create a new rule, which we then edit in > ADUC. > As I am the only member of our team who has ever dealt with Active > Directory before we are looking for any GUI tool which can make this > a > bit more intuitive, as the native Linux speakers aren't overly > comfortable with the aforementioned tools. If you know of any we'd > like > to know. > > A bit more testing and we can copy this to production. :) > > regards, > JohnMake sure to use Samba 4.4 to avoid very strange replication bugs with the custom schema. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
Hi Andrew, Please elaborate, as we're about to put it on Samba 4.2. Thanks. regards, John On 30/04/16 18:12, Andrew Bartlett wrote:> On Thu, 2016-04-21 at 15:40 +1000, John Gardeniers wrote: >> Good news, I now have this working. Once I finish writing my notes >> I'll >> make them available to whoever might want them. Just to clarify >> things a >> bit, here is what we have and what we wanted: >> >> * Linux users are authenticated by the Samba 4 domain controllers via >> SSSD, which itself uses LDAP. >> * As we are a development house, we have a rather complex set of >> users/groups/permissions on the numerous servers. We wanted to manage >> this centrally via Active Directory, without touching the sudoers >> file >> on the Linux side. >> * As of now, on a test domain which is functionally a replica of our >> production domain, we are able to manage sudo permissions on our AD >> users and groups via a combination of ADSI Edit and ADUC. >> >> ADSI Edit is used only to create a new rule, which we then edit in >> ADUC. >> As I am the only member of our team who has ever dealt with Active >> Directory before we are looking for any GUI tool which can make this >> a >> bit more intuitive, as the native Linux speakers aren't overly >> comfortable with the aforementioned tools. If you know of any we'd >> like >> to know. >> >> A bit more testing and we can copy this to production. :) >> >> regards, >> John > Make sure to use Samba 4.4 to avoid very strange replication bugs with > the custom schema. > > Andrew Bartlett >
On Mon, 2016-05-02 at 07:44 +1000, John Gardeniers wrote:> Hi Andrew, > > Please elaborate, as we're about to put it on Samba 4.2. Thanks.Please don't use 4.2 with the sudo schema. At a client, we have seen that cause database corruption when combined with multiple DCs, specifically duplicate values in the database that sssd really didn't like. It will also require you to run dbcheck from Samba 4.3 or later before you can replicate with a Samba 4.3 DC. Fixes for that made it into Samba 4.4. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba