Bug 1285086

Summary: Need better documentation about how sssd in the man pages about IMU deprecation and AD integration for POSIX attributes
Product: Red Hat Enterprise Linux 7 Reporter: Amy Farley <afarley>
Component: sssdAssignee: SSSD Maintainers <sssd-maint>
Status: CLOSED NOTABUG QA Contact: Kaushik Banerjee <kbanerje>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 7.1CC: grajaiya, jgalipea, jhrozek, lslebodn, mkosek, mzidek, pbrezina, preichl
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-11-26 16:35:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Amy Farley 2015-11-24 20:56:54 UTC 
Description of problem:

We need to improve man page information and advice about how sssd will handle the mapping now that IMU is being deprecated in W2012r2 or W2016.  They need to give better advise on how sssd mapping works.

from comments #8 and #9 in case 01540021:

C#8
-------------------------8<-------------------------------------------------------------------------------------------- 

Good afternoon.

I have been researching your questions and the quick answer is that sssd will do what you want and nfs4 will be happy as it maps by name not but uid/gid.

In Windows Server 2016, 

    "All IDMU-related features will go away, including UNIX Attributes tab. This also applies to Network Information Service (NIS) Server feature and the IDMU tools included with Remote Server Administration Tools (RSAT). Instead of IDMU/NIS server, you should use native LDAP, Samba Client, Kerberos, or non-Microsoft options. For Network File System (NFS), there is a Windows PowerShell cmdlet that allows you to update the user account with uid/gid: Set-NfsMappedIdentity.

In the future, if you try upgrade a computer that runs IDMU components, the upgrade will stop and you will be prompted to remove IDMU as explained at Installing or removing Identity Management for UNIX by using a command line."

from http://blogs.technet.com/b/activedirectoryua/archive/2015/01/25/identity-management-for-unix-idmu-is-deprecated-in-windows-server.aspx

But in RHEL sssd integrates with AD in this way:

    "ID mapping in SSSD can create a map between Active Directory security IDs (SIDs) and the generated UIDs on Linux. ID mapping is the simplest option for most environments because it requires no additional packages or configuration on Active Directory.

Unix services can manage POSIX attributes on Windows user and group entries. This requires more configuration and information within the Active Directory environment, but it provides more administrative control over the specific UID/GID values and other POSIX attributes.

Active Directory can replicate user entries and attributes from its local directory into a global catalog, which makes the information available to other domains within the forest. Performance-wise, the global catalog replication is the recommended way for SSSD to get information about users and groups, so that SSSD has access to all user data for all domains within the topology. As a result, SSSD can be used by applications which need to query the Active Directory global catalog for user or group information."

From https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Windows_Integration_Guide/sssd-ad-integration.html

-------------------------8<-------------------------------------------------------------------------------------------- 
and C#9

I utilized the same documents that you referenced to form my -assumptions- about this configuration. I am now looking for Red Hat official recommendation on how to proceed in the absence of IDMU but still [ideally] using POSIX attributes in AD.  It may be helpful to expound upon: 

"Unix services can manage POSIX attributes on Windows user and group entries. This requires more configuration and information within the Active Directory environment, but it provides more administrative control over the specific UID/GID values and other POSIX attributes."

Can someone fill in the details of the "more configuration and information within the Active Directory environment?"
-------------------------8<--------------------------------------------------------------------------------------------

More information is needed about the last statement.
Comment 1 Jakub Hrozek 2015-11-24 21:12:18 UTC 
I don't see why SSSD manpages should document configuration details of Windows server..

I propose we close this as Wontfix or Notabug. This might be an internal knowledge-base article, but not upstream manpage amendment.

Our recommendation is to use ID mapping if possible.
Comment 2 Lukas Slebodnik 2015-11-25 08:23:44 UTC 
Many AD related thinks are described in System-Level Authentication Guide

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/Configuring_Domains.html#SSSD-AD

I agree with Jakub. It would be better to update documentation instead of
sssd manpages.
Comment 3 Martin Kosek 2015-11-26 14:15:14 UTC 
Just for the record, the official document is already being updated - Bug 1207955.
Comment 4 Jakub Hrozek 2015-11-26 16:34:34 UTC 
Upstream ticket:
https://fedorahosted.org/sssd/ticket/2885
Comment 5 Jakub Hrozek 2015-11-26 16:35:58 UTC 
I filed a related upstream ticket, but since the result would be an article, not a change in the RHEL packages, I'm closing this bug.