On Wed, Jan 24, 2018 at 06:06:38PM +0100, Franky Van Liedekerke wrote: > Op Woensdag, 24-01-2018 om 17:44 schreef Jakub Hrozek: > > On Wed, Jan 24, 2018 at 05:25:26PM +0100, Franky Van Liedekerke wrote: > > > Op Woensdag, 24-01-2018 om 16:45 schreef Jakub Hrozek: > > > > On Wed, Jan 24, 2018 at 10:10:11AM -0500, Geoff Goehle wrote: > > > > > Sorry about the line breaks. Adding "enable_files_domain = false" to > > > > > the [sssd] section fixed the issue. Just out of curiosity, could I > > > > > ask what that does? Its not in the man page. > > > > > > > > SSSD has a feature which mirrors the local /etc/passwd and /etc/group > > > > files for faster lookups of local users without having to enable nscd > > > > which is tricky to operate together with sssd, especially if you run > > > > sssd for a remote domain, too: > > > > https://fedoraproject.org/wiki/Changes/SSSDCacheForLocalUsers > > > > But I'm surprised that Debian would enable this feature without changing > > > > the nsswitch.conf order like Fedora did. They probably should disable > > > > the files domain by default.. > > > > > > > > The files domain is currently identity-only and no authentication is > > > > performed. That, together with the duplicate users and the files domain > > > > running by default has been causing the failures for you.. > > > > > > On a side-note: I just tested this enable_files_domain and it seems using > > > it results in the next domain still being queried for local users > > > (verified by sifting through the ldap server logs). Using an explicit > > > domain with id_provider=files apparently works differently (that domain > > > answers and the next one is not queried), which is not very transparent. > > > Is this expected? > > > > What was the order of the explicit domains? Note the implicit domain is > > always prepended before any other domain.. > > The order in case of an explicit domain is first the files-based one, then > ldap. So the order is (or should be) identical in both cases. >
Then I don't know without logs, sorry. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org