Hi Sumit

----- On Jan 11, 2017, at 12:51 PM, Sumit Bose sb...@redhat.com wrote:

> I guess this is because the last update on one server was done with data
> from LDAP while the other used data from the Global Catalog. In general
> missing data in the GC should not remove the data read from LDAP, there
> is already https://fedorahosted.org/sssd/ticket/2474 to track this.

As always, looks spot on, and explains what we saw.

> We plan to allow to configure sub-domains individually in one of the
> next releases, see https://fedorahosted.org/sssd/ticket/2599 .
> In the meantime you might want to try id-overrides for users which have
> /bin/false set as shell in AD?

Yes, it would be nice to have the ability to configure individual things on the 
AD domains.
For now, we'll implement ID override on users who we find to have this problem.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to