Re: [Freeipa-users] meaning of several domains in sssd.conf
On Wed, Feb 27, 2013 at 08:19:27AM +0100, Jan-Frode Myklebust wrote: What does it mean to have several domains listed in sssd.conf ? Will they all be queried on each login, or will only the first domain be queried if the user/groups is found there? If the user is found in the first domain, the result is returned. If it is not found, the second domain is queried etc. To query a user from the second domain directly, you'd have to use a fully qualified name - getent passwd user@domain2 Does having an IPA domain, and an LDAP domain pointing at the same servers give any protection against failures in the sssd_BE process allowing sssd to fail over to the next sssd_BE ? In theory yes, but you'd lose the IPA specific functions such as HBAC or SELinux user mappings. Also for example the paths to Kerberos ccaches are stored in the sssd cache too, so your users would get a different ccache on this failover. Are there any issues you are seeing with IPA's sssd_be? It would definitely be better to fix those first rather than attempting a workaround like this. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] meaning of several domains in sssd.conf
On Wed, Feb 27, 2013 at 09:31:43AM +0100, Jakub Hrozek wrote: Are there any issues you are seeing with IPA's sssd_be? It would definitely be better to fix those first rather than attempting a workaround like this. I've earlier been hit by a bug in nested groups (or netgroups) where the ipa backend would segfault, leaving sssd running but unable to authenticate. I believe it was this problem: https://fedorahosted.org/sssd/changeset/db90c1b60c729995f34af2431ede61ea7493e540/ And therefore wonder if it makes sense, or even is advisable to have backup backends to make sure to never lose the user database. -jf ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] meaning of several domains in sssd.conf
On Wed, Feb 27, 2013 at 09:47:39AM +0100, Jan-Frode Myklebust wrote: On Wed, Feb 27, 2013 at 09:31:43AM +0100, Jakub Hrozek wrote: Are there any issues you are seeing with IPA's sssd_be? It would definitely be better to fix those first rather than attempting a workaround like this. I've earlier been hit by a bug in nested groups (or netgroups) where the ipa backend would segfault, leaving sssd running but unable to authenticate. I believe it was this problem: https://fedorahosted.org/sssd/changeset/db90c1b60c729995f34af2431ede61ea7493e540/ And therefore wonder if it makes sense, or even is advisable to have backup backends to make sure to never lose the user database. In general the IPA backend is more or less a wrapper around the LDAP and Kerberos backends with defaults set to match the IPA server setup and couple of exceptions: * nested groups are handled differently (due to the memberof attribute) * initgroups can be handled differently (due to the memberof attribute) * the netgroups code is different, IPA has native netgroups support So in the above cases, you might be able to work around a bug in the IPA provider by following a different code path, but in the general case, the same bugs would exist in both IPA and LDAP/Kerberos. Plus some features are IPA specific at the time being such as IPA support of HBAC access control rules and SELinux user mappings. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users