Bad recommendation about ad_integration HOT 9 CLOSED

What would you recommend? Something like this:

In order to join to the domain, you must use an Active Directory user which has sufficient join permissions. 
It is not recommended to use the Administrator user as the security footprint of this user is too large.

?

from ad_integration.

That works for me. Including a list of what permissions are required would also be great. It would make it easier to get the account setup properly without having to identify the permissions yourself.

from ad_integration.

That works for me. Including a list of what permissions are required would also be great. It would make it easier to get the account setup properly without having to identify the permissions yourself.

@justin-stephenson Do you know what specific permissions are required? Given a user, is there a way to verify that it has the required permissions before attempting to use the role?

from ad_integration.

I'm open to improving the wording but I would not say it is "not recommended", as the account used to join the domain is not a service account, it is only used during the join operation to create/update the computer object in AD. SSSD will then authenticate using the computer object principal stored in a keytab.

The ADCLI(8) man page contains quite a bit more details about permissions, perhaps we can point to that.

from ad_integration.

Even though it's not stored on each machine, domain admin should still not be used for any actions. It's bad practice and shouldn't be encouraged.

Referencing the DELEGATED PERMISSIONS section of the ADCLI(8) man page would work. It does a good job of showing what permissions are required for which actions.

from ad_integration.

Even though it's not stored on each machine, domain admin should still not be used for any actions. It's bad practice and shouldn't be encouraged.

Referencing the DELEGATED PERMISSIONS section of the ADCLI(8) man page would work. It does a good job of showing what permissions are required for which actions.

The various adcli man pages I have been able to find (e.g. https://manpages.org/adcli/8) do not have a "DELEGATED PERMISSIONS" section. Is there a link to some sort of adcli documentation that describes these permissions/

from ad_integration.

Even though it's not stored on each machine, domain admin should still not be used for any actions. It's bad practice and shouldn't be encouraged.
Referencing the DELEGATED PERMISSIONS section of the ADCLI(8) man page would work. It does a good job of showing what permissions are required for which actions.

The various adcli man pages I have been able to find (e.g. https://manpages.org/adcli/8) do not have a "DELEGATED PERMISSIONS" section. Is there a link to some sort of adcli documentation that describes these permissions/

Odd. It's available when I run man adcli on a CentOS Stream 8 system and at https://manpages.debian.org/testing/adcli/adcli.8.en.html

from ad_integration.

#24

from ad_integration.

The new phrasing looks good to me

from ad_integration.