All, I worked an sssd configuration case with my OS vendor in the last 3 weeks. I have resolution and it's working 100% correctly.
Just wanted to double-check. A second set of eyes to verify this solution is all above board. The problem manifested itself in our multi-domain AD forest with Posix Attributes. One parent domain that has a transitive trust with 4 (regional) child domains. Thus all 4 child domains trust each other. All users and groups are stored in the 4 child domains. The original problem was that I was disabling subdomains_provider and explicitly defining each of the 4 child domains. I had: domains = amer.company.com,apac.company.com, .... ... [domain/amer.company.com] .... [domain/apac.company.com] ... That worked great -- for everything except universal groups. Universal groups exist in the first domain in which they're created, but they're replicated to each domain. However, each child domain for this group's membership only has the local users of that domain. The full universal group membership is stored only in the global catalog (GC). The problem? The GC lookups are done in the subdomain_provider's code. So by disabling subdomains_provider, I was disabling GC lookups. Thus, I was getting the group membership only of the first child domain queried ( amer.company.com). What that amounted to is that remote support personnel couldn't log into local boxes, because they weren't listed in the allowed groups. So I re-wrote the sssd.conf file and only explicitly defined the one local child domain. I left on subdomain_provider, so it auto-discovered the other domains (sssctl domain-list confirms this). Like this: domains = amer.company.com ... [domain/amer.company.com] ldap_search_base = dc=AMER,dc=COMPANY,dc=COM [domain/amer.company.com/apac.company.com] ldap_search_base = dc=APAC,dc=COMPANY,dc=COM So then, universal groups showed all memberships. The only remaining problem was that now it was only searching the amer.company.com child domain. So while a remote user was listed as a member of an allowed universal group, the details of that user's account was not known. I couldn't add these auto-discovered domains to the "domains" line. (only domains explicitly defined in sssd.conf file are allowed in this line apparently). But I was able to add: domain_resolution_order = amer.company.com, emea.company.com, apac.company.com, japn.company.com, company.com Now all works 100%. Is this all legit? Do you see any problems with above final sssd.conf setting? Spike
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
