Как освоить Linux за 64 часа, и почему я инвестировал в этот проект 1.5 года своей жизни

Привет, Хабр! Меня зовут Павел, и я расскажу вам о том, как можно быстро выйти из Матрицы освоить Linux. Мне повезло принять участие в крутом проекте по разработке учебного курса для службы каталога ALD Pro , которую Астра создала на замену MS Active Directory, и об этой истории мне хотелось бы вам поведать. Увидеть, насколько глубока кроличья нора

https://habr.com/ru/companies/astralinux/articles/899916/

#astralinux #ald_pro #linux #freeipa #samba #sssd #служба_каталогов #системное_администрирование #импортозамещение #учебный_процесс

@indridi last time I had this need, #Fedora was good at it, but any distro should be able to handle it. Look up something called #sssd.

ICYMI: @tscherf examines Winbind v4.17 and how the logging service has improved the ability of Linux systems to join an Active Directory domain
https://www.admin-magazine.com/Archive/2024/83/Improved-logging-in-Samba-Winbind
#Samba #Windbind #Linux #ActiveDirectory #SSSD #tools #NSS

I'll mark this as happened yesterday though it was my morning today:

#YesterdayAtWork:
- UNIX domain socket support was merged to MIT #Kerberos upstream!
- KDB stackable driver load support was merged to MIT Kerberos upstream!
- Investigated some of #SSSD failures in #Fedora OpenQA, two separate issues: SELinux policy (already fixed upstream) and some timing desync in OpenQA that is likely an execution race
- bunch of meetings in past two days, including interesting discussions with customers

#sssd anybody? Is it possible to tell the daemon that the TGT provider is now online eg. after VPN has been connected?

@CyrilBrulebois >While #sssd supports settings for the CA certs directory, those aren't actually used

Sounds like an sssd bug, they could easily use ldap_set_option() to make libldap use their CA cert settings.

Brought to you by #strace-ing sssd to the connect(), getrandom(), and few read()/write() calls before switching to #GnuTLS localization files to get the “error message”, where it became obvious no actual certificates were being checked locally… Then checking #sssd's source code, diving into the #openldap rabbit hole and its dedicated config file, ending with:

# TLS certificates (needed for GnuTLS)
TLS_CACERT /etc/ssl/certs/ca-certificates.crt

While #sssd supports settings for the CA certs directory, those aren't actually used, and the TLS connection to the LDAP is delegated to #openldap functions, which require… /etc/ldap/ldap.conf to point somewhere. Without that file, the server certificate is not trusted…

And while libldap-common was pulled via the libldap-<ABI> library which was itself pulled by sssd-ldap in Debian 10, that's no longer the case in Debian 11.

Today's fun: #sssd deployed on Debian 10 works fine once ca-certificates is tweaked to include the internal CA; but doesn't on Debian 11 with the exact same playbook.

Weird “Unknown error code” in the TLS layer — THANK YOU SO MUCH CRYPTOGRAPHERS FOR ACCURATE ERROR REPORTING.

Is anyone using sssd with AD on ubuntu and getting weird, intermittent and machine-dependent ID mapping failures (for users and groups)? And maybe even has a solution?

#sssd

#FOSDEM 2024 Identity and Access Management devroom schedule is ready. Come to us in K.3.401 on February 4th, 2024: https://fosdem.org/2024/schedule/track/identity-and-access-management/ #fosdem #freeipa #sssd #keycloak #fusioniam #midpoint #fedora #kerberos #samba

My PR to add a better description of how identity mapping is done in FreeIPA has been finally merged. It is a bit of high level overview but should help in case you are lost:

https://freeipa.readthedocs.io/en/latest/designs/id-mapping.html

#freeipa #sssd

Looking for info #alma #rocky #rhel in AD and using as a file server.

RHEL docs seem to say #sssd is the preferred way to join domain, but they don't explain how to use sssd and NOT #winbind for #smb

Can you use smb file shares with WIndows permissions and not use the winbind method to join AD?

Call for proposals for FOSDEM 2024 Identity and Access Management devroom: https://iam-devroom.github.io/fosdem-2024/ #fosdem #freeipa #sssd #kerberos #samba #keycloak

Please help us to make Fedora 39 better.

We will run a Fedora Test Day later this week (September 21st/22nd) for passkey authentication in #FreeIPA and #SSSD: https://fedoramagazine.org/contribute-at-passkey-auth-fedora-coreos-and-iot-test-week/

My #FlockToFedora talk will be streamed on the #Fedora YouTube channel in ~45 minutes: https://youtu.be/Un_FLUlltcc?si=zbbGj8gbX3jgHwNB #freeipa #sssd #kerberos

#FreeIPA 4.11.0 beta1 released. Release notes can be found here: https://www.freeipa.org/release-notes/4-11-0-beta.html. I already updated F39 and F40.

Please read release notes for more details and links to additional material. #SSSD folks will be releasing 2.9.2 shortly but they are looking at fixing few crashes I found in some passkey processing so it may delay their release.

Esto es lo que ocupa últimamente mi tiempo: se llama #SSSD o System Security Services... #Linux. Mirar trazas de esto en debug_level = 9 es #MARAVILLOSO 🤣
https://sssd.io/docs/architecture.html

git push, und Junge Junge, was hab ich für heiße Tage mit #sssd hinter mir. Ich wiederhole: Die Fallacies of Distributed Computing waren NICHT als To-Do-Liste gedacht! https://de.wikipedia.org/wiki/Fallacies_of_Distributed_Computing

Die mit Abstand schlechteste Antwort, die ich bisher von #ChatGPT bekommen habe, wirklich verblüffend schlecht. Frage nicht verstanden, Antworten komplett fantasiert. Eine Option "negative_cache" kennt #sssd überhaupt nicht, und "cache_first" macht was völlig anderes, als mit wahllos aneinandergereihten Worten beschrieben wird. Am Ende war ich so verzweifelt, ich musste den Unterschied zwischen "entry_negative_timeout" und "local_negative_timeout" in der Doku nachlesen. https://0bin.net/paste/uY6apaR6#cOVo1QESQWgXbdfaUdskyy7UPix6-t8GlD1L/mpdjDm