Skip to content

Document required AD ACLs #541

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
nightkr merged 3 commits into from
Jan 15, 2025
Merged

Document required AD ACLs #541

nightkr merged 3 commits into from
Jan 15, 2025

Conversation

@nightkr
Copy link
Contributor

@nightkr nightkr commented Jan 14, 2025

Description

Documentation mirror of stackabletech/ad-init#2.

Definition of Done Checklist

  • Not all of these items are applicable to all PRs, the author should update this template to only leave the boxes in that are relevant
  • Please make sure all these things are done and tick the boxes
# Author

# Reviewer
- [ ] Code contains useful comments
- [ ] Code contains useful logging statements
- [ ] (Integration-)Test cases added
- [ ] Documentation added or updated. Follows the [style guide](https://docs.stackable.tech/home/nightly/contributor/docs/style-guide).
- [ ] Changelog updated
- [ ] Cargo.toml only contains references to git tags (not specific commits or branches)

# Acceptance
- [ ] Feature Tracker has been updated
- [ ] Proper release label has been added
- [ ] [Roadmap](https://github.com/orgs/stackabletech/projects/25/views/1) has been updated

@nightkr nightkr requested a review from a team January 14, 2025 12:28
soenkeliebau
soenkeliebau reviewed Jan 14, 2025
View reviewed changes
docs/modules/secret-operator/pages/secretclass.adoc
(`kerberosKeytab.admin.activeDirectory.userDistinguishedName`), as well as to reset their passwords.

This can be configured using the following PowerShell script:

Copy link
Member

@soenkeliebau soenkeliebau Jan 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It might make sense to also have a textual description for people who want to click this instead of running a PowerShell script.
Doesn't need to be guide "click here, then click there" - just "account needs these rights configured"

Copy link
Contributor Author

@nightkr nightkr Jan 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Isn't that covered by the text above? Honestly not sure about how to flesh it out better without going full tutorial mode. :/

Copy link
Member

@soenkeliebau soenkeliebau Jan 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The text sounded so prose-like, I was hoping there might be some technical names for the privileges ore something like that .. I mean .. I guess there is, its apparently 00299570-246d-11d0-a768-00aa006e0529 :)

I presume in the gui/wizard/whereever you could click this its just called "change password" ?

Copy link
Contributor Author

@nightkr nightkr Jan 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the GUI it's all grouped in under "All extended rights".

Copy link
Contributor Author

@nightkr nightkr Jan 15, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's also.. very hidden away that you can set it at all (need to use the low-level ADSI Edit tool to even see ACLs as an option).

Copy link
Member

@soenkeliebau soenkeliebau Jan 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So in the GUI its just a blanket "All extended rights" ?

Copy link
Contributor Author

@nightkr nightkr Jan 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

3f6896c

Copy link
Contributor Author

@nightkr nightkr Jan 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In "Active Directory Users and Computers" there are no permission options at all. "ADSI Edit" is a lower-level graphical tool that does expose them.. but is still missing a lot of extended rights (which, yes, just get grouped under "all extended rights").

@nightkr nightkr requested a review from soenkeliebau January 15, 2025 15:18
soenkeliebau
soenkeliebau approved these changes Jan 15, 2025
View reviewed changes
docs/modules/secret-operator/pages/secretclass.adoc
(`kerberosKeytab.admin.activeDirectory.userDistinguishedName`), as well as to reset their passwords.

This can be configured using the following PowerShell script:

Copy link
Member

@soenkeliebau soenkeliebau Jan 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So in the GUI its just a blanket "All extended rights" ?

@nightkr nightkr added this pull request to the merge queue Jan 15, 2025
Merged via the queue into main with commit ee020f3 Jan 15, 2025
17 checks passed
@nightkr nightkr deleted the docs/ad-acl branch January 15, 2025 16:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@soenkeliebau soenkeliebau soenkeliebau approved these changes

Assignees

No one assigned

Labels

release/25.3.0

Projects

Stackable Engineering
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@nightkr @soenkeliebau @lfrancke