On Tue, 30 Apr 2013, Simo Sorce wrote:
On Tue, 2013-04-30 at 22:37 +0300, Alexander Bokovoy wrote:

We need to add some smart logic to ipasam module to handle it.

The logic for trusted users needs to go into winbindd or sssd, ipasam is
only about our own domain.
In SSSD 1.10 there is new SID translation interface in libsss_nss_idmap
that we can use to build such logic.

I only pointed to ipasam because this is a place where we know
everything about all IPA trusts and idranges and which gets contacted
if winbindd is unable to resolve uid/gid to SID. A fallback case.

For SSSD-based solution we would need to differentiate between it being
installed on IPA master with ipa-adtrust-install configuration and other
machines to avoid loops as SSSD on IPA master asks winbindd currently
for SID translation and other SSSDs ask IPA's extdom plugin on Directory
server side.
/ Alexander Bokovoy

Freeipa-users mailing list

Reply via email to