On 05/11/15 09:55, mathias dufresne wrote:> Code is like books, or art (painting...). Some guy produce something, as he > likes, some others use/watch/listen it, as they like. Most of the time > these two ways are different. > > What I mean is it is not because something was not developed to be used in > some way that way of usage is not a good way of usage. > > Perhaps for most of us this is not the right way the OP want to do. Anyway > it is his way. Who are we to tell what he's doing should not be? I thought > opensource was more open than the other world.Samba4 initially used the bind9 flat files way of running, but it didn't and couldn't be made to work as an AD DC expects. This is why Samba4 moved to dlz, a lot needed to be done to get this to work, but it does work as expected, ok there are a few minor problems, but I am sure these will be fixed in time. I am not saying that the OP cannot use flat-files, just that he is on his own there.> > Same thing but about SSSD: I was thinking providing to my client same > behaviour for Linux systems as on Windows systems about local > administrators of computers (clients). On Windows you can define groups and > using GPO put some group(s) in client's local "administrators" group. There > you have people able to manage clients systems without any rights on AD. > This can be done using LDAP tree and user accounts with UID = 0. SSSD comes > also with filters to avoid peoples with UID=0 which have no right to > connect on some systems can connect on these refused systems. > So I had all I wanted to give my client same way of managing all their > systems with nominative accounts, to be able to trace a little bit what > admins do. > This is not possible because SSSD refuses (hardcoded...) users with UID=0 > to connect on SSSD systems. I was told this is for security reason: SSSD > through LDAP can, under certain configuration, grant man in the middle > attack (or something like that). > The fact is using AD servers are also authenticated, this security reason > disappear. Not the refusal because devs think what they thought is the only > to think. I don't.That is (in my opinion) a stupid way of doing things, every user with the UID of 0 raises the potential for an attack, if you want to do this, use sudo instead and yes sssd, AD and sudo will play nicely together. Just because you think something is a good idea doesn't mean it is, but nobody is stopping *you* doing things your way, just don't expect sympathy if things go wrong. Rowland> >
2015-11-05 11:17 GMT+01:00 Rowland Penny <rowlandpenny241155 at gmail.com>:> On 05/11/15 09:55, mathias dufresne wrote: > >> Code is like books, or art (painting...). Some guy produce something, as >> he >> likes, some others use/watch/listen it, as they like. Most of the time >> these two ways are different. >> >> What I mean is it is not because something was not developed to be used in >> some way that way of usage is not a good way of usage. >> >> Perhaps for most of us this is not the right way the OP want to do. Anyway >> it is his way. Who are we to tell what he's doing should not be? I thought >> opensource was more open than the other world. >> > > Samba4 initially used the bind9 flat files way of running, but it didn't > and couldn't be made to work as an AD DC expects. This is why Samba4 moved > to dlz, a lot needed to be done to get this to work, but it does work as > expected, ok there are a few minor problems, but I am sure these will be > fixed in time. I am not saying that the OP cannot use flat-files, just that > he is on his own there.I didn't write against your previous mail but more generally against a way of mind I don't like. Software are tools and what users do with tools is under their own responsibility. And sometimes, some user find a way of usage which was not foreseen by anyone, and rarely that new way of usage is a really good idea. I don't mean my ideas are better than those from others ;)> > > >> Same thing but about SSSD: I was thinking providing to my client same >> behaviour for Linux systems as on Windows systems about local >> administrators of computers (clients). On Windows you can define groups >> and >> using GPO put some group(s) in client's local "administrators" group. >> There >> you have people able to manage clients systems without any rights on AD. >> This can be done using LDAP tree and user accounts with UID = 0. SSSD >> comes >> also with filters to avoid peoples with UID=0 which have no right to >> connect on some systems can connect on these refused systems. >> So I had all I wanted to give my client same way of managing all their >> systems with nominative accounts, to be able to trace a little bit what >> admins do. >> This is not possible because SSSD refuses (hardcoded...) users with UID=0 >> to connect on SSSD systems. I was told this is for security reason: SSSD >> through LDAP can, under certain configuration, grant man in the middle >> attack (or something like that). >> The fact is using AD servers are also authenticated, this security reason >> disappear. Not the refusal because devs think what they thought is the >> only >> to think. I don't. >> > > That is (in my opinion) a stupid way of doing things, every user with the > UID of 0 raises the potential for an attack, if you want to do this, use > sudo instead and yes sssd, AD and sudo will play nicely together. >Perhaps you think it is, anyway that's how IT world is proceeding for users for computer management as soon as we speak of computers, and they are numerous, and they work not too badly. I'm not confident enough in my own knowledge to say all Windows world is stupid. Now you speak about sudo and it is a very great tool if you don't have to much things to delegate. Once you want to give full access to one server to someone because that one is a sysadmin, sudo become a bit complex if you want to trace stuffs (refusing shells, even in vi/awk... and still give this user a way to work quickly, efficiently). This is true because I take as a reference my own knowledge or more exactly my own lacks of knowledge.> > Just because you think something is a good idea doesn't mean it is, but > nobody is stopping *you* doing things your way, just don't expect sympathy > if things go wrong.Oh I'm not much loving myself to think that :D And I grown old enough to fully understand that using a tool for something it is not initially meant for, support goes away, thank you. Cheers, mathias> > > Rowland > >> >> >> > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
A last thing: that's what is great with mailing list: they are not paying support, you can post on them to speak about new ways to use software as you speakl to a community and not to a paying support, with contract and limitation. That does not mean you will necessarily found someone to speak with about your new way, I understand that too. 2015-11-05 11:35 GMT+01:00 mathias dufresne <infractory at gmail.com>:> > > 2015-11-05 11:17 GMT+01:00 Rowland Penny <rowlandpenny241155 at gmail.com>: > >> On 05/11/15 09:55, mathias dufresne wrote: >> >>> Code is like books, or art (painting...). Some guy produce something, as >>> he >>> likes, some others use/watch/listen it, as they like. Most of the time >>> these two ways are different. >>> >>> What I mean is it is not because something was not developed to be used >>> in >>> some way that way of usage is not a good way of usage. >>> >>> Perhaps for most of us this is not the right way the OP want to do. >>> Anyway >>> it is his way. Who are we to tell what he's doing should not be? I >>> thought >>> opensource was more open than the other world. >>> >> >> Samba4 initially used the bind9 flat files way of running, but it didn't >> and couldn't be made to work as an AD DC expects. This is why Samba4 moved >> to dlz, a lot needed to be done to get this to work, but it does work as >> expected, ok there are a few minor problems, but I am sure these will be >> fixed in time. I am not saying that the OP cannot use flat-files, just that >> he is on his own there. > > > I didn't write against your previous mail but more generally against a way > of mind I don't like. Software are tools and what users do with tools is > under their own responsibility. And sometimes, some user find a way of > usage which was not foreseen by anyone, and rarely that new way of usage is > a really good idea. > I don't mean my ideas are better than those from others ;) > > >> >> >> >>> Same thing but about SSSD: I was thinking providing to my client same >>> behaviour for Linux systems as on Windows systems about local >>> administrators of computers (clients). On Windows you can define groups >>> and >>> using GPO put some group(s) in client's local "administrators" group. >>> There >>> you have people able to manage clients systems without any rights on AD. >>> This can be done using LDAP tree and user accounts with UID = 0. SSSD >>> comes >>> also with filters to avoid peoples with UID=0 which have no right to >>> connect on some systems can connect on these refused systems. >>> So I had all I wanted to give my client same way of managing all their >>> systems with nominative accounts, to be able to trace a little bit what >>> admins do. >>> This is not possible because SSSD refuses (hardcoded...) users with UID=0 >>> to connect on SSSD systems. I was told this is for security reason: SSSD >>> through LDAP can, under certain configuration, grant man in the middle >>> attack (or something like that). >>> The fact is using AD servers are also authenticated, this security reason >>> disappear. Not the refusal because devs think what they thought is the >>> only >>> to think. I don't. >>> >> >> That is (in my opinion) a stupid way of doing things, every user with the >> UID of 0 raises the potential for an attack, if you want to do this, use >> sudo instead and yes sssd, AD and sudo will play nicely together. >> > > Perhaps you think it is, anyway that's how IT world is proceeding for > users for computer management as soon as we speak of computers, and they > are numerous, and they work not too badly. I'm not confident enough in my > own knowledge to say all Windows world is stupid. > > Now you speak about sudo and it is a very great tool if you don't have to > much things to delegate. Once you want to give full access to one server to > someone because that one is a sysadmin, sudo become a bit complex if you > want to trace stuffs (refusing shells, even in vi/awk... and still give > this user a way to work quickly, efficiently). This is true because I take > as a reference my own knowledge or more exactly my own lacks of knowledge. > > >> >> Just because you think something is a good idea doesn't mean it is, but >> nobody is stopping *you* doing things your way, just don't expect sympathy >> if things go wrong. > > > Oh I'm not much loving myself to think that :D > And I grown old enough to fully understand that using a tool for something > it is not initially meant for, support goes away, thank you. > > Cheers, > > mathias > > >> >> >> Rowland >> >>> >>> >>> >> >> -- >> To unsubscribe from this list go to the following URL and read the >> instructions: https://lists.samba.org/mailman/options/samba >> > >