Re: [SSSD-users] Domain group membership troubles with sssd and AD provider (1.12.2)

[Sergey Urushkin]

Rowland Penny писал 2014-11-13 18:16:
On 13/11/14 15:04, Lukas Slebodnik wrote:
On (13/11/14 17:53), Sergey Urushkin wrote:
Hello!
Lukas Slebodnik писал 2014-11-13 17:16:

I reduced attributes to the next set:
accountExpires
userAccountControl
uSNChanged
whenChanged

homeDirectory //should not be used with AD provider.
I should have written: should not be used with AD provider BY DEFAULT

What's wrong with it? I have no problems. homeDirectory is for 
windows,
unixHomeDirectory is for linux, isn't it?

of course you can use it if you want.
SSSD has the configuration option ldap_user_home_directory for this 
purpose.

Well, yes but as far as I can see, you can only set it once, so you
have to choose which users to default to, windows or unix.


In my setup every user has both attributes, windows doesn't care about 
unixHomeDirectory and sssd ad provider doesn't care about homeDirectory. 
It uses unixHomeDirectory by default(!), if there is no such attribute, 
it sets home directory to "/", despite homeDirectory has another value 
(UNC path). It works such way at least with 1.11.5 and 1.11.7 for me. I 
think that's right default.

---
Best regards,
Sergey Urushkin

Rowland

Other attributes are not used by sssd.

Ok, but all listed attributes are not needed for group membership 
discovery.
If some account expires (accountExpires) or e.g. changing password is 
denied
(userAccountControl), it doesn't mean it leaves its groups. 
Timestamps
(uSNChanged, whenChanged) are not important for groups too. So, i 
think they
should not be needed for group membership discovery, but it seems 
they are in
sssd (without them things are broken in my case), unlike winbind. May 
be NSS
algorithm should be fixed in this way?
I would need to checked code where are this options used and why there 
is a
problem. I can't say at the moment.

But thank you very much for your investigation.
At least, we will know how to reproduce problem.

LS
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users

_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users
_______________________________________________
sssd-users mailing list
sssd-users@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-users