On Wed, Mar 18, 2015 at 08:26:03AM +0200, Alexander Bokovoy wrote:
> On Tue, 17 Mar 2015, Gould, Joshua wrote:
> >I figured out that the ldap_idmap_range_min and ldap_idmap_range_size need
> >to match whats in ipa idrange-find --all for the AD domain.
> >
> ># ipa idrange-mod --base-id=100000 --range-size=900000 --rid-base=0
> >Range name: TEST.OSUWMC_id_range
> >----------------------------------------
> >Modified ID range "TEST.OSUWMC_id_range"
> >----------------------------------------
> >Range name: TEST.OSUWMC_id_range
> >First Posix ID of the range: 100000
> >Number of IDs in the range: 900000
> >First RID of the corresponding RID range: 0
> >Domain SID of the trusted domain: S-1-5-21-226267946-722566613-1883572810
> >Range type: Active Directory domain range
> >
> >
> >/etc/sssd/sssd.conf:
> >[domain/test.osuwmc]
> >ldap_idmap_range_min = 100000
> >ldap_idmap_range_size = 900000
> There is something completely broken here.

Yes, the sssd.conf configuration :-)

SSSD will not even read this sssd.conf section, it is just ignored. The
subdomains are mostly auto-configured, just with several exceptions
(like subdomain_homedir) where we read the subdomain config from the
main domain config.

> You *shouldn't* need to add a
> separate domain section for any of the domains coming over the forest
> trust link path _at_all_. SSSD automatically derives all needed
> parameters for them via its IPA providers for the primary IPA domain.
> Jakub, what is going on?

I would prefer if also Sumit can add his opinon since he authored the ID
mapping code.

But here's how I see it - since you use 'external ID mapping', then you
should just rely on the properties from the server. The only action to
take on the client side is to purge the sssd cache on the clients if the
ID mapping changes, because currently SSSD doesn't handle ID changes.

And because gracefully handling ID changes is not planned even for the
next version (1.13), I wonder if it makes sense to add a warning after
idrange-mod command is run that it's preferable to clean the caches? We
might also want to add some kind of simple CLI tool (sss_delcache?) so
that admins don't have to learn where are the caches stored.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to