On (13/11/14 16:31), Sergey Urushkin wrote: >Hello! > >While writing you mail I discovered that kerberos principal used by sssd >(NIX$) doesn't have permissions for some ldap-attributes (all problem >accounts had special AD (ldap) permissions). After reseting permissions in >ADUC, the problem disappears. > >It seems, sssd makes more strict account checking than winbind (which works >fine in the same situation). May be it's too strict for discovering group >membership. Or you're considering this normal? > >Attributes which were not readable before reseting permissions: >accountExpires: >badPasswordTime: >badPwdCount: >homeDirectory: >homeDrive: >instanceType: >lastLogoff: >lastLogon: >logonCount: >logonHours: >msSFU30NisDomain: >pwdLastSet: >scriptPath: >userAccountControl: >uSNChanged: >uSNCreated: >whenChanged: >whenCreated: > I reduced attributes to the next set: accountExpires userAccountControl uSNChanged whenChanged
homeDirectory //should not be used with AD provider. Other attributes are not used by sssd. LS _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
