In a scenario in which an sssd node joined to Active Directory crashed and had
to be rebuilt, restoring key files from backup, other than the obvious files in
/etc (for krb5, sssd, nss etc.) are there other sssd/krb5 persistent databases
(/var/lib/sss/db ?) that would have to be restored (ctdb
We were noticing some strange problems in two node clustered (ctdb/samba) sssd,
cases in which both nodes joined AD fine, but "getent passwd " worked
for only a subset of the remote AD users on one node, but worked fine on the
other.The config seemed to be identical on the two nodes -
And I did check the obvious - googling for "clustered sssd" or "sssd and ctdb"
didn't come up with much useful in the last year (mostly a few threads that are
out of date from 2 or 3 years ago).
___
sssd-users mailing list --
I noticed that on one of our test systems running sssd we have about 150
/tmp/adcli-krb5-* files (they already take up about 600K after a few days) and
have contents similar to a krb5.conf file snippet
# cat /tmp/adcli-krb5-a1klQy/krb5.d/adcli-krb5-conf-sM7Ia1
[realms]
VWQA.LOCAL = {
kdc
It wasn't obvious from the documentation whether with sssd-libwbclient (only,
ie without sssd-winbind-idmap installed and configured in smb.conf, since
sssd-winbind-idmap is not available in most versions of RHEL7 as it was only
recently added),
Samba's uid_to_sid(function) can always do the
We do see errors in the log, although not clear yet if the large number of them
were due to sssd service not being restarted (we fixed that and still saw the
same two errors in the logs - just not sure if as often)
"(Wed Jan 25 21:50:20 2017) [sssd[nss]] [sss_dp_get_reply] (0x0010): The Data
I haven't been able to find much useful information on how sssd (if at all)
handles child domains in Active Directory.
If you join an AD domain, presumably you can authenticate any users in the
children domains, but what happens when you do "getent" do you expect to see
users of the child
One of the more common cases for sssd (or winbind) with RFC2307 seems to be
getting uids/gids from Active Directory domains, but few Active Directories
have all of their users/groups configured for the POSIX uid/gid.
How can you configure sssd behavior for this common case (among the three
When debugging sssd it would be nice to be able to do various operations that
getent can't do (e.g. 'name-to-sid' or 'sid-to-uid' etc.) or nss is not
configured to do (testing that auth works e.g.) and the wbinfo tools has a
pretty good list of the typical things that an admin or developer
Yes - that looks like it works (updating /usr/lib64/realmd/realmd-defaults.conf
to point to a 'net wrapper' that strips that parm out)
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to
Do you guys prefer 'authconfig' to configure sssd rather than realm or some
other tools?
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
In testing using "realm join" to join an Active Directory domain with two
domain controllers, we ran into a problem where "realm join" would fail when
one of the two Domain Controllers were down.It looks like in a common case
where nslookup shows two entries for myrealm.ad.test but the
In tracing through problems with realm join (in a Samba/ctdb cluster), I was
noticing that realm join implicitly calls 'net ads join' (which should be a
good thing) but it passes '-s' with a temporary smb.conf to 'net ads join'
(which is a bad thing since it leaves out clustering=yes and the
In a few cases recently (again yesterday), we noticed RHEL7.3's "realm join"
taking more than 5
minutes (which timed out in our cli, and running realm directly worked but took
~6 minutes when
normally would take a few seconds). As you can see from the verbose output
below the
two longest
14 matches
Mail list logo
