Hi Sumit

----- On Jan 11, 2017, at 12:51 PM, Sumit Bose sb...@redhat.com wrote:

> 
> I guess this is because the last update on one server was done with data
> from LDAP while the other used data from the Global Catalog. In general
> missing data in the GC should not remove the data read from LDAP, there
> is already https://fedorahosted.org/sssd/ticket/2474 to track this.

As always, looks spot on, and explains what we saw.


> 
> We plan to allow to configure sub-domains individually in one of the
> next releases, see https://fedorahosted.org/sssd/ticket/2599 .
> 
> In the meantime you might want to try id-overrides for users which have
> /bin/false set as shell in AD?
> 

Yes, it would be nice to have the ability to configure individual things on the 
AD domains.
For now, we'll implement ID override on users who we find to have this problem.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to