On (13/11/14 17:53), Sergey Urushkin wrote: >Hello! > >Lukas Slebodnik писал 2014-11-13 17:16: > >>I reduced attributes to the next set: >>accountExpires >>userAccountControl >>uSNChanged >>whenChanged >> >>homeDirectory //should not be used with AD provider. I should have written: should not be used with AD provider BY DEFAULT
> >What's wrong with it? I have no problems. homeDirectory is for windows, >unixHomeDirectory is for linux, isn't it? > of course you can use it if you want. SSSD has the configuration option ldap_user_home_directory for this purpose. >> >>Other attributes are not used by sssd. >> > >Ok, but all listed attributes are not needed for group membership discovery. >If some account expires (accountExpires) or e.g. changing password is denied >(userAccountControl), it doesn't mean it leaves its groups. Timestamps >(uSNChanged, whenChanged) are not important for groups too. So, i think they >should not be needed for group membership discovery, but it seems they are in >sssd (without them things are broken in my case), unlike winbind. May be NSS >algorithm should be fixed in this way? I would need to checked code where are this options used and why there is a problem. I can't say at the moment. But thank you very much for your investigation. At least, we will know how to reproduce problem. LS _______________________________________________ sssd-users mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-users
