On 3/18/15, 3:55 AM, "Sumit Bose" <sb...@redhat.com> wrote:

>On Wed, Mar 18, 2015 at 08:41:30AM +0100, Jakub Hrozek wrote:
>> On Wed, Mar 18, 2015 at 08:26:03AM +0200, Alexander Bokovoy wrote:
>> > On Tue, 17 Mar 2015, Gould, Joshua wrote:
>>
>> > >/etc/sssd/sssd.conf:
>> > >[domain/test.osuwmc]
>> > >ldap_idmap_range_min = 100000
>> > >ldap_idmap_range_size = 900000
>> > There is something completely broken here.
>> 
>> Yes, the sssd.conf configuration :-)
>> 
>> SSSD will not even read this sssd.conf section, it is just ignored. The
>> subdomains are mostly auto-configured, just with several exceptions
>> (like subdomain_homedir) where we read the subdomain config from the
>> main domain config.
>> 
>> > You *shouldn't* need to add a
>> > separate domain section for any of the domains coming over the forest
>> > trust link path _at_all_. SSSD automatically derives all needed
>> > parameters for them via its IPA providers for the primary IPA domain.
>> > 
>> > Jakub, what is going on?
>> 
>> I would prefer if also Sumit can add his opinon since he authored the ID
>> mapping code.
>
>as Alexander said in the other thread, only the IPA domain should be
>configured if you want to use IPA and trust. AD domains will be
>discovered and ranges will be configured on the IPA server side and IPA
>clients will get all information about trusted AD domains from the IPA
>server.
>
>So, please remove the section for the AD completely from sssd.conf.

I¹ll be happy to remove the AD section from the sssd.conf file and test
but I think there¹s more going on. The AD section was generated from the
IPA client install. I never manually added anything other than ³pac² to
the services line under the [sssd] section and the two ldap_idmap_range
options. 



-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to