Comments (9)
What would you recommend? Something like this:
In order to join to the domain, you must use an Active Directory user which has sufficient join permissions.
It is not recommended to use the Administrator user as the security footprint of this user is too large.
?
from ad_integration.
That works for me. Including a list of what permissions are required would also be great. It would make it easier to get the account setup properly without having to identify the permissions yourself.
from ad_integration.
That works for me. Including a list of what permissions are required would also be great. It would make it easier to get the account setup properly without having to identify the permissions yourself.
@justin-stephenson Do you know what specific permissions are required? Given a user, is there a way to verify that it has the required permissions before attempting to use the role?
from ad_integration.
I'm open to improving the wording but I would not say it is "not recommended", as the account used to join the domain is not a service account, it is only used during the join operation to create/update the computer object in AD. SSSD will then authenticate using the computer object principal stored in a keytab.
The ADCLI(8)
man page contains quite a bit more details about permissions, perhaps we can point to that.
from ad_integration.
Even though it's not stored on each machine, domain admin should still not be used for any actions. It's bad practice and shouldn't be encouraged.
Referencing the DELEGATED PERMISSIONS
section of the ADCLI(8)
man page would work. It does a good job of showing what permissions are required for which actions.
from ad_integration.
Even though it's not stored on each machine, domain admin should still not be used for any actions. It's bad practice and shouldn't be encouraged.
Referencing the
DELEGATED PERMISSIONS
section of theADCLI(8)
man page would work. It does a good job of showing what permissions are required for which actions.
The various adcli man pages I have been able to find (e.g. https://manpages.org/adcli/8) do not have a "DELEGATED PERMISSIONS" section. Is there a link to some sort of adcli documentation that describes these permissions/
from ad_integration.
Even though it's not stored on each machine, domain admin should still not be used for any actions. It's bad practice and shouldn't be encouraged.
Referencing theDELEGATED PERMISSIONS
section of theADCLI(8)
man page would work. It does a good job of showing what permissions are required for which actions.The various adcli man pages I have been able to find (e.g. https://manpages.org/adcli/8) do not have a "DELEGATED PERMISSIONS" section. Is there a link to some sort of adcli documentation that describes these permissions/
Odd. It's available when I run man adcli
on a CentOS Stream 8 system and at https://manpages.debian.org/testing/adcli/adcli.8.en.html
from ad_integration.
from ad_integration.
The new phrasing looks good to me
from ad_integration.
Related Issues (7)
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ad_integration.