On Tue, Oct 24, 2017 at 12:28:53PM -0000, rdrat...@yahoo.co.uk wrote: > Hi Sumit, > > understood. The configuration seems to be correct. > > > This is to make sure that UIDs and GIDs are consistent > > for Samba components which might ask winbind directly for IDs and other > > applications which will use the system's nss interfaces. > > This is exactly the reason, why I want winbind to use the idmap_sss backend. > > I have seen that the mapping is cached by at least three caches (windbind: > gencache, winbindd_cache; sssd: sss cache). Are there any timeout > recommendations for sssd and winbindd caches for the mapping to work properly?
If you start with empty caches on the winbind side the results should stay the same because changes in the mapping should be very rare. Please note the by default 'idmap cache time' is 1 week because of the rare changes, see man smb.conf for more details. > > Also, is there an easy way to log sss_idmap backend interworking with winbind? Not an easy we but SSSD will add log messages like: (Tue Oct 24 13:41:22 2017) [sssd[nss]] [get_client_cred] (0x4000): Client creds: euid[1000] egid[1000] pid[1234]. if debug_level=9. With the help of the pid you can identify which request comes from winbind. > > I had following wrong entry in the the caches for a long time (with several > reboots, restarts of winbind d and sssd): > > wbind -i rdratlos (from windbindd with sss_idmap) > rdratlos:*:10000:10006:Thomas Xyz:/home/MYDOMAIN/rdratlos:/bin/false > > getent passwd rdratlos (from sssd) > rdrat...@mydomain.com:*:1000:513:Thomas Xyz:/home/MYDOMAIN/rdratlos:/bin/bash > > Only a combination of > sss_cache -E I would expect that the above one is not needed because 'getent passwd rdratlos' already returned the expected results. bye, Sumit > net cache flush > systemctl restart winbindd > seemed to have fixed this to: > > wbind -i rdratlos (from windbindd with sss_idmap) > rdratlos:*:1000:513:Thomas Xyz:/home/MYDOMAIN/rdratlos:/bin/false > > Best regards > > Thomas > > _______________________________________________ > sssd-users mailing list -- sssd-users@lists.fedorahosted.org > To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
