Update to 2020-12-08 13:00

master
Daniel Berteaud 4 years ago
parent d05125afc1
commit 516d4ee6be
  1. 2
      roles/sssd_ad_auth/defaults/main.yml
  2. 2
      roles/sssd_ad_auth/templates/sssd.conf.j2
  3. 2
      roles/timers/defaults/main.yml

@ -8,6 +8,8 @@ ad_computer_ou:
ad_access_filter: "(|(memberOf=CN=Domain Admins,CN=Users,DC={{ ad_realm | regex_replace('\\.',',DC=') }})(memberOf=CN=Domain Admins,OU=Groups,DC={{ ad_realm | regex_replace('\\.',',DC=') }}))"
ad_enumerate: True
ad_default_shell: /bin/false
# If access control should evaluate domain GPO. Can be disabled, eforcing or permissive. See man sssd-ad
ad_gpo_access_control: permissive
# sssd doesn't support cross forest approbations, but we can add the Linux box to the other domains
ad_trusted_domains: "{{ samba_trusted_domains | default([]) }}"

@ -32,6 +32,7 @@ ad_maximum_machine_account_password_age = 0
{% if ad_enumerate %}
enumerate = true
{% endif %}
ad_gpo_access_control = {{ ad_gpo_access_control }}
{% for domain in ad_trusted_domains %}
@ -55,4 +56,5 @@ ldap_user_search_base = {{ domain.ldap_user_search_base }}
{% if domain.ldap_group_search_base is defined and domain.ldap_group_search_base %}
ldap_group_search_base = {{ domain.ldap_group_search_base }}
{% endif %}
ad_gpo_access_control = {{ domain.ad_gpo_access_control | default(ad_gpo_access_control) }}
{% endfor %}

@ -11,7 +11,7 @@ system_timer_defaults:
persistent: False
enabled: True
user: root
max_duration: infinity
max_duration: 0
# Define systemd timers
# system_timers:

Loading…
Cancel
Save