On Wed, 18 Mar 2015, Gould, Joshua wrote:
On 3/18/15, 3:55 AM, "Sumit Bose" <sb...@redhat.com> wrote:
On Wed, Mar 18, 2015 at 08:41:30AM +0100, Jakub Hrozek wrote:
On Wed, Mar 18, 2015 at 08:26:03AM +0200, Alexander Bokovoy wrote:
> On Tue, 17 Mar 2015, Gould, Joshua wrote:
> >/etc/sssd/sssd.conf:
> >[domain/test.osuwmc]
> >ldap_idmap_range_min = 100000
> >ldap_idmap_range_size = 900000
> There is something completely broken here.
Yes, the sssd.conf configuration :-)
SSSD will not even read this sssd.conf section, it is just ignored. The
subdomains are mostly auto-configured, just with several exceptions
(like subdomain_homedir) where we read the subdomain config from the
main domain config.
> You *shouldn't* need to add a
> separate domain section for any of the domains coming over the forest
> trust link path _at_all_. SSSD automatically derives all needed
> parameters for them via its IPA providers for the primary IPA domain.
>
> Jakub, what is going on?
I would prefer if also Sumit can add his opinon since he authored the ID
mapping code.
as Alexander said in the other thread, only the IPA domain should be
configured if you want to use IPA and trust. AD domains will be
discovered and ranges will be configured on the IPA server side and IPA
clients will get all information about trusted AD domains from the IPA
server.
So, please remove the section for the AD completely from sssd.conf.
I¹ll be happy to remove the AD section from the sssd.conf file and test
but I think there¹s more going on. The AD section was generated from the
IPA client install. I never manually added anything other than ³pac² to
the services line under the [sssd] section and the two ldap_idmap_range
options.
Show your /var/log/ipaclient-install.log. ipa-client-install has no
support to generate sections for AD at all.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
