[SSSD-users] Re: please do not remove enumeration from AD provider

Following up on an issue from a while ago… On Thu, May 14, 2015 at 9:32 PM, Stephen Gallagher wrote: > [T]he SSSD developers are spending a moderate amount of time dealing > with bugs in it [enumeration], first of all. Secondly, the > limitations aren't really clearly

[SSSD-users] Re: disable ad backend group filtering? (was Re: Re: speeding up iterative enumeration?)

On Wed, Jan 27, 2016 at 09:17:09AM -0500, Stephen Gallagher wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On 01/27/2016 05:27 AM, Jakub Hrozek wrote: > > On Wed, Jan 27, 2016 at 09:43:21AM +, John Hodrien wrote: > >> On Wed, 27 Jan 2016, Jakub Hrozek wrote: > >> > >>> I'm glad

[SSSD-users] Re: Enumerate users from external group from AD trust

> Op 27 jan. 2016, om 17:46 heeft Jakub Hrozek het > volgende geschreven: > > On Wed, Jan 27, 2016 at 05:42:02PM +0100, Bolke de Bruin wrote: >> Hello, >> >> I have sssd 1.13.00 working against FreeIPA 4.2 domain. This domain has a >> trust relationship with a active

[SSSD-users] Enumerate users from external group from AD trust

Hello, I have sssd 1.13.00 working against FreeIPA 4.2 domain. This domain has a trust relationship with a active directory domain. One of the systems we are using requires to enumerate all users in groups by (unfortunate) design (Apache Ranger). This is done by using “getent group”. During

[SSSD-users] Re: [Freeipa-users] heads-up: new code to fetch sudo rules from an IPA server coming to Fedora and RHEL-6

On (27/01/16 16:21), Jakub Hrozek wrote: >Hi, > >the sssd's code that fetches sudo rules from the IPA server got an >overhaul recently. The search would no longer be performed against the >compat tree, but against IPA's native LDAP tree. This would have the >advantage that environments that don't

[SSSD-users] Re: disable ad backend group filtering? (was Re: Re: speeding up iterative enumeration?)

On Wed, Jan 27, 2016 at 10:24 AM, Jakub Hrozek wrote: > btw the other thing we've been talking about is only do write the > entry when it actually changes. Most of the time, when we refresh > the entry from the server, nothing changes. The idea would be to > write only the

[SSSD-users] Re: Enumerate users from external group from AD trust

> On 27 Jan 2016, at 17:50, Bolke de Bruin wrote: > >> >> Op 27 jan. 2016, om 17:46 heeft Jakub Hrozek het >> volgende geschreven: >> >> On Wed, Jan 27, 2016 at 05:42:02PM +0100, Bolke de Bruin wrote: >>> Hello, >>> >>> I have sssd 1.13.00 working

[SSSD-users] Re: SSSD Client Auth on LDAP Server -both Client & Server CentOS6.7

Hi Sumit, I am making progress - both # getent -s sss passwd and getent group now work. I can also su - ldapuser and I get a shell in the correct $HOME on the ldap server. But I still cannot login to the SSSD Client as an ldap user! My /var/log/secure log last line is this: SSSD-VM-Test

[SSSD-users] Re: disable ad backend group filtering? (was Re: Re: speeding up iterative enumeration?)

On Wed, Jan 27, 2016 at 09:43:21AM +, John Hodrien wrote: > On Wed, 27 Jan 2016, Jakub Hrozek wrote: > > >I'm glad it helped. FWIW, we're considering adding a nosync option to > >the cache as well at some point, which should have the same performance > >effect as using tmpfs except the cache

[SSSD-users] Re: SSSD Client Auth on LDAP Server -both Client & Server CentOS6.7

On Tue, Jan 26, 2016 at 03:08:19PM +, Murdoch, Steven wrote: > Hi Sumit, … this is the last few lines from the sssd_nss.log (after running # > getent group – which does not work). Getent passwd now works ok. > > Tue Jan 26 14:51:15 2016) [sssd[nss]] [accept_fd_handler] (0x0400): Client >

[SSSD-users] Re: disable ad backend group filtering? (was Re: Re: speeding up iterative enumeration?)

On Wed, 27 Jan 2016, Stephen Gallagher wrote: Now, I can certainly see an argument for having such a nosync (or deferred sync) option for machines that are expected to always be connected to the identity network (and as such are using SSSD mostly for performance and surviving the occasional