Comprehensive re-write of the classicupgrade HowTo and other changes

Thu May 29 14:52:47 MDT 2014

On Thu, 2014-05-29 at 21:34 +0100, Rowland Penny wrote:
> On 29/05/14 20:12, Jakub Hrozek wrote:
> > On Wed, 2014-05-28 at 13:24 +0200, Marc Muehlfeld wrote:
> >> Hello,
> >>
> >> I'm talking about re-writing the classicupgrade HowTo since over a year
> >> now. :-) Now, after three rainy vacation days, it's finaly done:
> >>
> >> A complete and comprehensive re-write of the classicupgrade HowTo:
> >> https://wiki.samba.org/index.php/Samba_Classic_Upgrade_%28NT4-style_domain_to_AD%29
> >>
> >>
> >>
> >>
> >> Some other mentionable documentation changes, I had
> >> done during the last week:
> >>
> > Hi,
> >
> > I also did some changes to the SSSD howto page:
> > https://wiki.samba.org/index.php/Local_user_management_and_authentication/sssd
> >
> > In the page history I see that Marc already did an edit after I finished
> > (thanks!) but feel free to review the page and comment further. It would
> > be nice if some native English speaker could proof-read the language :-)
> >
> OK, you asked for it, here is the English version of parts of your howto ;-)
> 
> First is what you wrote, followed by what I would have written.
> 
> sssd can retrieve posix data (UID/GID, home directory, shell, etc.) from 
> AD, if you domain was provisioned with the --rfc2307 option. This allows 
> you a central management of posix data in AD with the common tools and 
> the same IDs on every machine.
> 
> sssd can retrieve posix data (UID/GID, home directory, shell, etc.) from 
> AD, if your domain was provisioned with the --rfc2307 option. This 
> allows for central management of posix data in AD with the common tools 
> and gives the same IDs on every machine.
> 
> Doesn't not need a KDC to authenticate.
> 
> Doesn't need a KDC to authenticate.
> OR
> Does not need a KDC to authenticate.
> 
> Non-Linux platforms, such as the BSD distributions, are not yet fully 
> supported by sssd yet.
> 
> Non-Linux platforms, such as the BSD distributions, are not yet fully 
> supported by sssd.
> OR
> Non-Linux platforms, such as the BSD distributions, are not fully 
> supported by sssd yet.
> 
> If you have compiled Samba 4 by yourself,
> 
> If you have compiled Samba 4 yourself,
> 
> See ./configure --help for options, you can set to adapt the build to 
> your environment.
> 
> See ./configure --help, for options you can set to adapt the build to 
> your environment.
> 
> If you haven't adapt the ./configure options, you can link the module to 
> the corresponding directory.
> 
> If you haven't adapted the ./configure options, you can link the module 
> to the corresponding directory.
> 
> If your PAM installation searches its modules in a different location
> 
> If your PAM installation searches for its modules in a different location
> 
> Connections with this setup will be unencrypted, except you have setup 
> LDAP over SSL on your DC and change the following example sssd.conf 
> accordingly!
> 
> Connections with this setup will be unencrypted, unless you have setup 
> LDAP over SSL on your DC and changed the following example sssd.conf 
> accordingly!
> 
> Create a new user account in your AD, sssd will use to bind via LDAP
> 
> Create a new user account in your AD that sssd will use to bind via LDAP
> 
> Hint: If you do changes on the sssd.conf, you should clear the cache, to 
> make sure, that the new results really come from the source and not from 
> the cache.
> 
> Hint: If you do changes to sssd.conf, you should clear the cache, to 
> make sure that the new results really come from the source and not from 
> the cache.
> 
> Other than these few minor language problems, it is a great howto.
> 
> Rowland
> 

Thanks.
We still object to:
'. . .if your domain was provisioned with the --rfc2307 option . .'
Repeat, you do not need to provision with --rfc2307 option. The default
schema already allows for rfc2307 and so sssd works perfectly well
without it. All the necessary posix attributes can be managed with
samba-tool, ldbedit or ldbmodify. You may wish to add that provisioning
with --rfc2307 is necessary only should you wish to manage said from
ADUC.
Steve