On 13/11/14 15:04, Lukas Slebodnik wrote:
On (13/11/14 17:53), Sergey Urushkin wrote:
Hello!
Lukas Slebodnik писал 2014-11-13 17:16:
I reduced attributes to the next set:
accountExpires
userAccountControl
uSNChanged
whenChanged
homeDirectory //should not be used with AD provider.
I should have written: should not be used with AD provider BY DEFAULT
What's wrong with it? I have no problems. homeDirectory is for windows,
unixHomeDirectory is for linux, isn't it?
of course you can use it if you want.
SSSD has the configuration option ldap_user_home_directory for this purpose.
Well, yes but as far as I can see, you can only set it once, so you have
to choose which users to default to, windows or unix.
Rowland
Other attributes are not used by sssd.
Ok, but all listed attributes are not needed for group membership discovery.
If some account expires (accountExpires) or e.g. changing password is denied
(userAccountControl), it doesn't mean it leaves its groups. Timestamps
(uSNChanged, whenChanged) are not important for groups too. So, i think they
should not be needed for group membership discovery, but it seems they are in
sssd (without them things are broken in my case), unlike winbind. May be NSS
algorithm should be fixed in this way?
I would need to checked code where are this options used and why there is a
problem. I can't say at the moment.
But thank you very much for your investigation.
At least, we will know how to reproduce problem.
LS
_______________________________________________
sssd-users mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
_______________________________________________
sssd-users mailing list
[email protected]
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
