On Wed, Feb 27, 2013 at 08:19:27AM +0100, Jan-Frode Myklebust wrote: > What does it mean to have several domains listed in sssd.conf ? Will > they all be queried on each login, or will only the first domain be > queried if the user/groups is found there? >
If the user is found in the first domain, the result is returned. If it is not found, the second domain is queried etc. To query a user from the second domain directly, you'd have to use a fully qualified name - getent passwd user@domain2 > Does having an IPA domain, and an LDAP domain pointing at the same > servers give any protection against failures in the sssd_BE process > allowing sssd to fail over to the next sssd_BE ? In theory yes, but you'd lose the IPA specific functions such as HBAC or SELinux user mappings. Also for example the paths to Kerberos ccaches are stored in the sssd cache too, so your users would get a different ccache on this "failover". Are there any issues you are seeing with IPA's sssd_be? It would definitely be better to fix those first rather than attempting a workaround like this. _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users