Hello! Lukas Slebodnik писал 2014-11-13 17:16:
I reduced attributes to the next set: accountExpires userAccountControl uSNChanged whenChanged homeDirectory //should not be used with AD provider.
What's wrong with it? I have no problems. homeDirectory is for windows, unixHomeDirectory is for linux, isn't it?
Other attributes are not used by sssd.
Ok, but all listed attributes are not needed for group membership discovery. If some account expires (accountExpires) or e.g. changing password is denied (userAccountControl), it doesn't mean it leaves its groups. Timestamps (uSNChanged, whenChanged) are not important for groups too. So, i think they should not be needed for group membership discovery, but it seems they are in sssd (without them things are broken in my case), unlike winbind. May be NSS algorithm should be fixed in this way?
--- Best regards, Sergey Urushkin _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
