Revision as of 12:15, 15 May 2013

SSSD improve AD integration

Summary

The next major release of SSSD will include support for more advanced AD features for domain members. This includes site support and trusted domains. Additionally it will include a plugin for the cifs-utils package which would allow a CIFS client to use SSSD for lookups which were currently only possible with winbind.

Owner

Name: Jakub Hrozek
Email: <jhrozek@redhat.com>
Name: Sumit Bose
Email: <sbose@redhat.com>

Current status

Targeted release: Fedora 19
Last updated: 2013-03-08
Percentage of completion: 100%
Subtasks finished in the Beta:
- DNS site discovery
- DNS dynamic updates
- Dynamic discovery of NetBIOS domain name
- An interface to translate SID to names or IDs and vice versa

Detailed Description

So far SSSD development of AD provider concentrated on doing the user and group lookups for the joined domain efficiently with high performance. With the next major release of SSSD support for some features which are specific to AD domain will be added. This includes:

Site support: AD domains which include different physical locations can be split into sites. Each site represents a single physical location. With specially crafted DNS service record lookups an AD client can find the nearest domain controller, i.e. the domain controller in its site. This helps to keep network traffic local and allows clients to talk to the server with the lowest latency.
DNS updates: AD clients will be able to update their DNS record dynamically if assigned a different IP address
Trusted domains: currently the SSSD AD provider can only look up user and groups of the joined domain. With the support of Global Catalogs all users and groups of the forest the AD domain belongs to are available. Additionally it is planned to follow cross forest trust to look up users and groups in trusted forests.
NetBIOS name discovery: at present, the NetBIOS name must be specified as the SSSD domain name in order to make it possible to look up users using the NetBIOS name. In F-19 the SSSD will enable to discover the NetBIOS name dynamically, allowing the lookups to just work.
An interface to translate SID identifiers to user or group names or POSIX ID. Such interface will be the basis of future CIFS integration as well as used directly by FreeIPA to provide a human-reasable representation of users and groups.

Benefit to Fedora

With the improvements mentioned above a Fedora client which is joined to an AD domain and running SSSD has access to more advance features of the AD domain which were currently only available if winbind was used instead of SSSD.

Scope

All planned features for the next major release of SSSD can be found at [1]. The improvements mentioned above are tracked by the following tickets:

Links to design documents can be found in the tickets.

How To Test

Testing instructions can be found on the design documents in the SSSD wiki mentioned above. In the following a short summary for each feature can be found:

Site support: instead of using a random DC form the AD domain, SSSD should only connect to DCs from the local site. This can be checked with the netstat or ss utilities.
DNS updates: when the client address is changed, either manually or after DHCP assignment is changed, the client should automatically update its DNS record in the AD.
Trusted domains: users and groups from the local forest and trusted forests should be available
NetBIOS name discovery: it should be possible to request users using the NetBIOS domain name without specifying it manually in the config file.
SID-to-Name interface: apart from testing the library itself or its Python bindings, this feature would be prominently visible using the FreeIPA server UI, where Windows users and groups could be identified with their real names (as opposed to SIDs)

There will be a Fedora Test day for this feature at 2013-05-09.

User Experience

The user might benefit from reduced latency while accessing the DC (site support) and the ability to use users and groups from trusted domains. Advanced features of the cifs-utils package, e.g. changing ACLs, do not require a running winbindd anymore but can be used with sssd as well.

Dependencies

No additional dependencies are expected. The required version if cifs-utils is already available in Fedora. To parse some blobs returned by AD some libraries from the samba-libs package are needed, but SSSD already depends on other samba libraries.

Contingency Plan

Not required, if some of the improvements are not available in time, they will be moved to the next release.

Documentation

For details see the design documents mentioned above.

Release Notes

With the latest major release to SSSD the integration into AD domain was improved. AD sites are respected and SSSD tries to access the nearest domain controller. users and groups from trusted domains are available. SSSD offers an ID mapping plugin for the cifs-utils which allows to use advanced features of cifs-utils with SSSD.

Comments and Discussion

See Talk:Features/SSSDImproveADIntegration

@@ Line 21: / Line 21: @@
 * Targeted release: [[Releases/19 | Fedora 19 ]]
 * Last updated: 2013-03-08
-* Percentage of completion: 80%
+* Percentage of completion: 100%
+* Subtasks finished in the Beta:
+** DNS site discovery
+** DNS dynamic updates
+** Dynamic discovery of NetBIOS domain name
+** An interface to translate SID to names or IDs and vice versa
 <!-- CHANGE THE "FedoraVersion" TEMPLATES ABOVE TO PLAIN NUMBERS WHEN YOU COMPLETE YOUR PAGE. -->
@@ Line 28: / Line 33: @@
 So far SSSD development of AD provider concentrated on doing the user and group lookups for the joined domain efficiently with high performance. With the next major release of SSSD support for some features which are specific to AD domain will be added. This includes:
 * Site support: AD domains which include different physical locations can be split into sites. Each site represents a single physical location. With specially crafted DNS service record lookups an AD client can find the nearest domain controller, i.e. the domain controller in its site. This helps to keep network traffic local and allows clients to talk to the server with the lowest latency.
+* DNS updates: AD clients will be able to update their DNS record dynamically if assigned a different IP address
 * Trusted domains: currently the SSSD AD provider can only look up user and groups of the joined domain. With the support of Global Catalogs all users and groups of the forest the AD domain belongs to are available. Additionally it is planned to follow cross forest trust to look up users and groups in trusted forests.
-* CIFS client integration: in version 5.9 of the [https://wiki.samba.org/index.php/LinuxCIFS_utils cifs-utils] a plugin interface for ID mapping was added. This allows cifs-utils to use other services than winbind for those lookups. While those lookups are not needed for basic operation, i.e. accessing files from a Linux client on a Windows/Samba file server, they are needed e.g. when accessing and modifying access control lists (ACLs).
+* NetBIOS name discovery: at present, the NetBIOS name must be specified as the SSSD domain name in order to make it possible to look up users using the NetBIOS name. In F-19 the SSSD will enable to discover the NetBIOS name dynamically, allowing the lookups to just work.
+* An interface to translate SID identifiers to user or group names or POSIX ID. Such interface will be the basis of future CIFS integration as well as used directly by FreeIPA to provide a human-reasable representation of users and groups.
 == Benefit to Fedora ==
@@ Line 39: / Line 46: @@
 All planned features for the next major release of SSSD can be found at [https://fedorahosted.org/sssd/milestone/SSSD%201.10%20beta]. The improvements mentioned above are tracked by the following tickets:
 * [https://fedorahosted.org/sssd/ticket/1032 Site support]
+* [https://fedorahosted.org/sssd/ticket/1504 DNS updates]
 * [https://fedorahosted.org/sssd/ticket/364 Trusted domains]
-* [https://fedorahosted.org/sssd/ticket/1534 CIFS client integration]
+* [https://fedorahosted.org/sssd/ticket/1468 NetBIOS name discovery]
+* [https://fedorahosted.org/sssd/ticket/1559 SID-to-Name interface]
 Links to design documents can be found in the tickets.
@@ Line 60: / Line 69: @@
 Testing instructions can be found on the design documents in the SSSD wiki mentioned above. In the following a short summary for each feature can be found:
 * Site support: instead of using a random DC form the AD domain, SSSD should only connect to DCs from the local site. This can be checked with the netstat or ss utilities.
+* DNS updates: when the client address is changed, either manually or after DHCP assignment is changed, the client should automatically update its DNS record in the AD.
 * Trusted domains: users and groups from the local forest and trusted forests should be available
-* CIFS client integration: all tools from the cifs-utils package work as expected without a running winbindd on the client
+* NetBIOS name discovery: it should be possible to request users using the NetBIOS domain name without specifying it manually in the config file.
+* SID-to-Name interface: apart from testing the library itself or its Python bindings, this feature would be prominently visible using the FreeIPA server UI, where Windows users and groups could be identified with their real names (as opposed to SIDs)
 There will be a [https://fedoraproject.org/wiki/QA/Fedora_19_test_days Fedora Test day] for this feature at 2013-05-09.

Search

Features/SSSDImproveADIntegration: Difference between revisions