Posts made by EddieJennings

Poking around Proxmox for the first time

@AdamF I stand corrected and good to know.

Been a while since I had looked at Ubiquiti's store, but it looks like they're not bothering to show EdgeRouter 4 as an out-of-stock option anymore.

https://store.ui.com/us/en?category=wired-edge-max-routing

Reading about Restic

Deleting redundant files from my laptop.

Trying to figure out why reposync seems to have missed downloading a few RPMs.

Are either of the addresses of those two systems in conflict with another on the Zerotier network?
Anything odd in the routing tables for either system?

Testing cost parameter for dnf repo configuration.

Yum. Reading about policy based routing for Linux.

@nadnerB said in What Are You Doing Right Now:

Getting started with Intune... getting caught up with seeing what Android Enterprise is about... sigh scope creep for todays work

A couple of people on my team have to deal with InTune. I don't envy them. Luckily, I have plenty of Linux work to keep me from being roped in.

@openit said in If starting from scratch, would you suggest learning BASH or Ansible?:

Hi there,

While I'm preparing for RedHat certification, I was thinking to learn BASH, for general use and also exam has requirement to write simple bash scripts.

But, in long run and to be more efficient, I feel deep learning of Ansible is better than BASH? If I left BASH, and go with Ansible do I lose anything? I assume Ansible covers what BASH can do?

Appreciate your suggestions.

They different, complementary things that are both used for administering RHEL systems (and other systems as well, but you mentioned Red Hat certs). There will be times when you will use Ansible to execute the same commands on a remote system as you would with BASH when there isn't a specific Ansible module available to do the thing you want.

If you're learning about administering RHEL and other Linux systems (which I assume you are since you're seeking those certs), there is no realistic "leaving" of BASH. You could use other shells to run the commands needed to work on your skills, but if you're training for the real world of working on RHEL, why not use BASH?

Consider the first two certs in the Red Hat path, RHSCA and RHCE. RHCSA is designed to teach fundamentals of managing RHEL. RHCE is teaching the fundamentals of Ansible for the purpose of taking the things you learned with RHCSA and automating them potentially at scale.

@dafyre said in What Are You Doing Right Now:

@EddieJennings said in What Are You Doing Right Now:

Quality saxophone time with major and minor scales = done. On to home Ansible stuff.

I haven't played mine in such a long time, I'd probably sound like a cat stuck in a blender, a dying duck, or some combination thereof.

My tone is acceptable, but trying to regain some technique.

Quality saxophone time with major and minor scales = done. On to home Ansible stuff.

Testing new Ansible control node deployments.

Reading through the legalese of a work benefit.

Being humbled as I test firewall rules on my home Edge Router Lite 3.

@Semicolon said in sssd and user ID mapping:

@EddieJennings we use a combination. We use the ids generated by sssd and automate the population of the AD attributes to align with them to ensure consistency. Where it comes in handy is when we have NFS mounts exported from an LDAP-aware NAS device. The NAS device doesn't natively understand the sssd mappings, and relies upon LDAP calls to find the accounts.

You can't really have a conflict, unless you were looking for a user and group to have the same number (which they can't with sssd, because it appends the principle's RID (padded to 5 digits). If you have a need to manually specify a UID/GID,, that would be for a local account, I presume. In those scenarios, we do create AD accounts that have manually defined UIDs that line up with the local user (always less than 1000) for the NAS appliance to find when evaluating access.

I'm curious. How do you gather the ids generated by sssd and populate them in to uidNumber and gidNumber attributes in AD?

@Pete-S

I use keys and use my Ansible control mode as a jump box

Lots of work left to tame the Wild West. This thread is just one many things to be done.

"Yes."

The people accessing these VMs are my team (admins) as well as various developers. The number of unique users is enough to where managing local accounts wouldn't make sense. Also, there's SSO involved with many of our company's resources and AD is basically the source of truth for that.

There's a good bit for me to think through, in particular if it's worth using FreeIPA / IdM for authentication for these VMs and have FreeIPA / IdM have a trust with AD, which as of right now the answer to that is "no, it's not worth it." Thus, likely what's going to happen is going to be using sssd to work directly with AD, which brings up the though of the best way of handling user and group IDs.

I'm not aware of any kind of native way to generate unique uidnumber and gidnumber when creating an AD user; thus, I think the way to go will be just letting sssd handle ID mapping, but I was curious if there is a reason I'm not thinking of that would make sense to not have sssd handle ID mappings.

We are soon going to be using AD for authenticating users to our Linux VMs. Of the things to think through, one thing I'm considering how to handle UID/GID mapping. SSSD generates handles this by default using an algorithm to map AD SIDs to UIDs/GIDs. This in theory should keep UID/GID consistent as the user logs into different Linux VMs. However, you can disable this mapping and set some attributes in AD (uidNumber,gidNumber, etc.).

What would be a scenario where you would want to disable the sssd auto-ID mapping and set these attributes in AD? The only I can think of is when you want to specify the exact UID/GID that would be associated with a user or group, which would present the challenge of having to make sure you don't have ID conflicts.