Hello again :-) After finding other directives that seemed to display the same behavior in my environment I parsed the logs more closely and it appears to me that the order of processing/logging directives is from the perspective of the joined domain first. In this case the child domain appears to take the configured directive and the parent is left at the default. Oddly, the parent domain is also referred to as a subdomain in the log.
My setup again: parent domain: dvc.darkvixen.com (DC darkvixen161win.dvc.darkvixen.com) child domain: lab.dvc.darkvixen.com (DC darkvixen164win.lab.dvc.darkvixen.com) The relevant log entries: [sssd[be[lab.dvc.darkvixen.com]]] [dp_get_options] (0x0400): Option ldap_idmap_range_min has value 200000 [sssd[be[lab.dvc.darkvixen.com]]] [dp_get_options] (0x0400): Option ldap_idmap_range_max has value 2000200000 [sssd[be[lab.dvc.darkvixen.com]]] [dp_get_options] (0x0400): Option ldap_idmap_range_size has value 200000 [sssd[be[lab.dvc.darkvixen.com]]] [dp_get_options] (0x0400): Option ldap_idmap_helper_table_size has value 20 [sssd[be[lab.dvc.darkvixen.com]]] [ad_get_dc_servers_send] (0x0400): Looking up domain controllers in domain lab.dvc.darkvixen.com and site DarkVixenCorp [sssd[be[lab.dvc.darkvixen.com]]] [fo_add_server_to_list] (0x0400): Inserted primary server 'darkvixen164win.lab.dvc.darkvixen.com:389' to service 'AD' [sssd[be[lab.dvc.darkvixen.com]]] [new_subdomain] (0x0400): Creating [ dvc.darkvixen.com] as subdomain of [lab.dvc.darkvixen.com]! [sssd[be[lab.dvc.darkvixen.com]]] [sdap_domain_subdom_add] (0x0400): subdomain dvc.darkvixen.com is a new one, will create a new sdap domain object [sssd[be[lab.dvc.darkvixen.com]]] [dp_copy_options_ex] (0x0400): Option ldap_idmap_range_min has value 200000 [sssd[be[lab.dvc.darkvixen.com]]] [dp_copy_options_ex] (0x0400): Option ldap_idmap_range_max has value 2000200000 [sssd[be[lab.dvc.darkvixen.com]]] [dp_copy_options_ex] (0x0400): Option ldap_idmap_range_size has value 200000 [sssd[be[lab.dvc.darkvixen.com]]] [dp_copy_options_ex] (0x0400): Option ldap_idmap_helper_table_size has value 10 [sssd[be[lab.dvc.darkvixen.com]]] [ad_get_dc_servers_send] (0x0400): Looking up domain controllers in domain dvc.darkvixen.com and site DarkVixenCorp [sssd[be[lab.dvc.darkvixen.com]]] [fo_add_server_to_list] (0x0400): Inserted primary server 'darkvixen161win.dvc.darkvixen.com:389' to service ' dvc.darkvixen.com' So, my questions now are: Do I understand this correctly? Is the logging working as intended? Is there a way to expose the runtime configuration of the SSSD, including default configuration directive values (similar to /usr/sbin/sshd -T)? Many thanks, -- lawrence On Wed, Aug 29, 2018 at 7:50 AM Lawrence Kearney <[email protected]> wrote: > > Using the SSSD (v1.13.4-34.7.1) joined to a child domain, the modified > "ldap_idmap_helper_table_size" directive value in the host sssd.conf is set > at the parent domain instead of the child domain, which remains at the > default of 10 (the child domain is a not a domain tree). > > Forest: dvc.darkvixen.com > Parent domain: dvc.darkvixen.com (parent non-decitated forest root domain) > Child domain: lab.dvc.darkvixen.com > > My understanding is that no "subdomain_provider" directive is needed for > this configuration, and the "subdomain_inherit" directive does not support > the inheritance of the "ldap_idmap_helper_table_size" directive. > > The sanitized sssd.conf: > > [sssd] > config_file_version = 2 > services = nss,pam,pac > domains = lab.dvc.darkvixen.com > > [nss] > filter_users = root > filter_groups = root > > [pam] > > [pac] > > [domain/lab.dvc.darkvixen.com] > id_provider = ad > access_provider = ad > > enumerate = false > cache_credentials = true > > ldap_idmap_helper_table_size = 20 > > ad_site = DarkVixenCorp > ad_hostname = darkvixen200.lab.dvc.darkvixen.com > > ad_access_filter = DOM:LAB.DVC.DARKVIXEN.COM: > (memberOf=CN=DARKVIXEN200_G,OU=LDAP,OU=SVS,DC=lab,DC=dvc,DC=darkvixen,DC=com) > > > From the domain log: > > [dp_get_options] (0x0400): Option ldap_idmap_helper_table_size has value 20 > [sssd[be[lab.dvc.darkvixen.com]]] [sdap_idmap_add_domain] (0x1000): > Adding domain [S-1-5-21-623326418-92578587-4020003380] as slice [8636] > [sssd[be[lab.dvc.darkvixen.com]]] [sysdb_idmap_store_mapping] (0x0100): > Adding new ID mapping [dvc.darkvixen.com > ][S-1-5-21-623326418-92578587-4020003380][8636] > > [sssd[be[lab.dvc.darkvixen.com]]] [dp_copy_options_ex] (0x0400): Option > ldap_idmap_helper_table_size has value 10 > [sssd[be[lab.dvc.darkvixen.com]]] [sdap_idmap_add_domain] (0x1000): > Adding domain [S-1-5-21-1157061662-2021606532-2751616909] as slice [4675] > [sysdb_idmap_store_mapping] (0x0100): Adding new ID mapping [ > lab.dvc.darkvixen.com][S-1-5-21-1157061662-2021606532-2751616909][4675] > > From the relevant DC: > > ~# Get-ADForest > > ApplicationPartitions : > {DC=DomainDnsZones,DC=lab,DC=dvc,DC=darkvixen,DC=com, > DC=ForestDnsZones,DC=dvc,DC=darkvixen,DC=com, > DC=DomainDnsZones,DC=dvc,DC=darkvixen,DC=com} > CrossForestReferences : {} > DomainNamingMaster : DARKVIXEN161WIN.dvc.darkvixen.com > Domains : {dvc.darkvixen.com, lab.dvc.darkvixen.com} > ForestMode : Windows2012R2Forest > GlobalCatalogs : {DARKVIXEN161WIN.dvc.darkvixen.com, > DARKVIXEN164WIN.lab.dvc.darkvixen.com} > Name : dvc.darkvixen.com > PartitionsContainer : > CN=Partitions,CN=Configuration,DC=dvc,DC=darkvixen,DC=com > RootDomain : dvc.darkvixen.com > SchemaMaster : DARKVIXEN161WIN.dvc.darkvixen.com > Sites : {DarkVixenCorp} > SPNSuffixes : {} > UPNSuffixes : {} > > > Is this a bug fixed with later daemons or is there additional > configuration required ? > > > Many thanks, > > > -- lawrence > > -- Lawrence Kearney e: [email protected] t: +001 706.951.6257 w: www.lawrencekearney.com l: www.linkedin.com/in/lawrencekearney
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
