On 7/5/2017 3:40 AM, Sumit Bose wrote:
On Tue, Jul 04, 2017 at 04:39:35PM -0400, Tom wrote:
Is there a way in the sssd config to force the return of the user for only the
main domain?
You can skip some domains completely, please have a look at the
ad_enabled_domains option in 'man sssd-ad' for details.
The only way I can think of to ignore only specific users from a
sub-domain is to use specific search filters for the sub-domain. Please
see the 'TRUSTED DOMAIN SECTION' of man sssd.conf for details about how
to configure a search filter for a sub-domain.
Maybe local overrides can be used here as well. You might want to try to
set a different UID to the user from the sub-domain with the
sss_override utility. But I haven't tried this, so chances are that this
might still fail.
bye,
Sumit
In some cases user cannot be removed or AD config is setup that way on purpose.
Cheers,
Tom
Sent from my iPhone
On Apr 7, 2017, at 11:16 PM, TomK <[email protected]> wrote:
On 4/6/2017 2:44 PM, Sumit Bose wrote:
On Thu, Apr 06, 2017 at 02:30:41PM -0400, TomK wrote:
Hey All,
We're receiving the following message on an older installation of SSSD and
RHEL 6.7. SSSD version is sssd-1.12.4-47.el6_7.4.x86_64.
I'm wondering under what conditions could "Expected one user entry and got
2" be thrown and if it's fixed in higher SSSD versions.
This message typically occurs if SSSD found a duplicate user or group
name or a duplicated UID or GID on the server side. If that's the case a
newer version won't help, the name or ID collision must be resolved on
the server side.
HTH
bye,
Sumit
--
Cheers,
Tom K.
-------------------------------------------------------------------------------------
Living on earth is expensive, but it includes a free trip around the sun.
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Thank you!
--
Cheers,
Tom K.
-------------------------------------------------------------------------------------
Living on earth is expensive, but it includes a free trip around the sun.
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Could not find the first option in the help pages. My version therefore
doesn't support it.
I tried to set subdomains_provider = none but this had no effect. This
is not really surprising given that the AD team indicated that
SUB.DOMAIN.COM was not really a subdomain of DOMAIN.COM but a totally
separate domain in itself.
So now I'm wondering if SUB.DOMAIN.COM is not really a subdomain, what
can I do to handle this case?
REF:
subdomains_provider (string)
The provider which should handle fetching of subdomains.
This value should be always the same as id_provider. Supported subdomain
providers are:
"ipa" to load a list of subdomains from an IPA server. See
sssd-ipa(5) for more information on configuring IPA.
"ad" to load a list of subdomains from an Active Directory
server. See sssd-ad(5) for more information on configuring the AD provider.
"none" disallows fetching subdomains explicitly.
Default: The value of "id_provider" is used if it is set.
--
Cheers,
Tom K.
-------------------------------------------------------------------------------------
Living on earth is expensive, but it includes a free trip around the sun.
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
