On Thu, Aug 30, 2018 at 05:57:07AM -0400, Lawrence Kearney wrote: > Hello again :-) > > After finding other directives that seemed to display the same behavior in > my environment I parsed the logs more closely and it appears to me that the > order of processing/logging directives is from the perspective of the > joined domain first. In this case the child domain appears to take the > configured directive and the parent is left at the default. Oddly, the > parent domain is also referred to as a subdomain in the log. > > My setup again: > > parent domain: dvc.darkvixen.com (DC darkvixen161win.dvc.darkvixen.com) > child domain: lab.dvc.darkvixen.com (DC > darkvixen164win.lab.dvc.darkvixen.com) > > The relevant log entries: > > [sssd[be[lab.dvc.darkvixen.com]]] [dp_get_options] (0x0400): Option > ldap_idmap_range_min has value 200000 > [sssd[be[lab.dvc.darkvixen.com]]] [dp_get_options] (0x0400): Option > ldap_idmap_range_max has value 2000200000 > [sssd[be[lab.dvc.darkvixen.com]]] [dp_get_options] (0x0400): Option > ldap_idmap_range_size has value 200000 > [sssd[be[lab.dvc.darkvixen.com]]] [dp_get_options] (0x0400): Option > ldap_idmap_helper_table_size has value 20 > > [sssd[be[lab.dvc.darkvixen.com]]] [ad_get_dc_servers_send] (0x0400): > Looking up domain controllers in domain lab.dvc.darkvixen.com and site > DarkVixenCorp > [sssd[be[lab.dvc.darkvixen.com]]] [fo_add_server_to_list] (0x0400): > Inserted primary server 'darkvixen164win.lab.dvc.darkvixen.com:389' to > service 'AD' > > [sssd[be[lab.dvc.darkvixen.com]]] [new_subdomain] (0x0400): Creating [ > dvc.darkvixen.com] as subdomain of [lab.dvc.darkvixen.com]! > [sssd[be[lab.dvc.darkvixen.com]]] [sdap_domain_subdom_add] (0x0400): > subdomain dvc.darkvixen.com is a new one, will create a new sdap domain > object > > [sssd[be[lab.dvc.darkvixen.com]]] [dp_copy_options_ex] (0x0400): Option > ldap_idmap_range_min has value 200000 > [sssd[be[lab.dvc.darkvixen.com]]] [dp_copy_options_ex] (0x0400): Option > ldap_idmap_range_max has value 2000200000 > [sssd[be[lab.dvc.darkvixen.com]]] [dp_copy_options_ex] (0x0400): Option > ldap_idmap_range_size has value 200000 > [sssd[be[lab.dvc.darkvixen.com]]] [dp_copy_options_ex] (0x0400): Option > ldap_idmap_helper_table_size has value 10 > > > [sssd[be[lab.dvc.darkvixen.com]]] [ad_get_dc_servers_send] (0x0400): > Looking up domain controllers in domain dvc.darkvixen.com and site > DarkVixenCorp > [sssd[be[lab.dvc.darkvixen.com]]] [fo_add_server_to_list] (0x0400): > Inserted primary server 'darkvixen161win.dvc.darkvixen.com:389' to service ' > dvc.darkvixen.com' > > So, my questions now are: > > Do I understand this correctly?
I think yes. For SSSD to domain you are joined to is the most important one, all others are sub-domains. > Is the logging working as intended? yes, but I agree it is a bit irritating. Although the imap options for sub-domains are shown only the one of the joined domain is of importance. All domains use the same id-mapping setting, the ones from the joined domain. Otherwise it would be hard to avoid id collisions. > Is there a way to expose the runtime configuration of the SSSD, including > default configuration directive values (similar to /usr/sbin/sshd -T)? Currently not, there is 'sssctl config-check' but this does not display values or defaults. There is https://pagure.io/SSSD/sssd/issue/3157 to show values from the config file. You might want to add a comment about showing the default values for all other options as well or open a new ticket for this. bye, Sumit > > Many thanks, > > > -- lawrence > > On Wed, Aug 29, 2018 at 7:50 AM Lawrence Kearney <[email protected]> > wrote: > > > > > Using the SSSD (v1.13.4-34.7.1) joined to a child domain, the modified > > "ldap_idmap_helper_table_size" directive value in the host sssd.conf is set > > at the parent domain instead of the child domain, which remains at the > > default of 10 (the child domain is a not a domain tree). > > > > Forest: dvc.darkvixen.com > > Parent domain: dvc.darkvixen.com (parent non-decitated forest root domain) > > Child domain: lab.dvc.darkvixen.com > > > > My understanding is that no "subdomain_provider" directive is needed for > > this configuration, and the "subdomain_inherit" directive does not support > > the inheritance of the "ldap_idmap_helper_table_size" directive. > > > > The sanitized sssd.conf: > > > > [sssd] > > config_file_version = 2 > > services = nss,pam,pac > > domains = lab.dvc.darkvixen.com > > > > [nss] > > filter_users = root > > filter_groups = root > > > > [pam] > > > > [pac] > > > > [domain/lab.dvc.darkvixen.com] > > id_provider = ad > > access_provider = ad > > > > enumerate = false > > cache_credentials = true > > > > ldap_idmap_helper_table_size = 20 > > > > ad_site = DarkVixenCorp > > ad_hostname = darkvixen200.lab.dvc.darkvixen.com > > > > ad_access_filter = DOM:LAB.DVC.DARKVIXEN.COM: > > (memberOf=CN=DARKVIXEN200_G,OU=LDAP,OU=SVS,DC=lab,DC=dvc,DC=darkvixen,DC=com) > > > > > > From the domain log: > > > > [dp_get_options] (0x0400): Option ldap_idmap_helper_table_size has value 20 > > [sssd[be[lab.dvc.darkvixen.com]]] [sdap_idmap_add_domain] (0x1000): > > Adding domain [S-1-5-21-623326418-92578587-4020003380] as slice [8636] > > [sssd[be[lab.dvc.darkvixen.com]]] [sysdb_idmap_store_mapping] (0x0100): > > Adding new ID mapping [dvc.darkvixen.com > > ][S-1-5-21-623326418-92578587-4020003380][8636] > > > > [sssd[be[lab.dvc.darkvixen.com]]] [dp_copy_options_ex] (0x0400): Option > > ldap_idmap_helper_table_size has value 10 > > [sssd[be[lab.dvc.darkvixen.com]]] [sdap_idmap_add_domain] (0x1000): > > Adding domain [S-1-5-21-1157061662-2021606532-2751616909] as slice [4675] > > [sysdb_idmap_store_mapping] (0x0100): Adding new ID mapping [ > > lab.dvc.darkvixen.com][S-1-5-21-1157061662-2021606532-2751616909][4675] > > > > From the relevant DC: > > > > ~# Get-ADForest > > > > ApplicationPartitions : > > {DC=DomainDnsZones,DC=lab,DC=dvc,DC=darkvixen,DC=com, > > DC=ForestDnsZones,DC=dvc,DC=darkvixen,DC=com, > > DC=DomainDnsZones,DC=dvc,DC=darkvixen,DC=com} > > CrossForestReferences : {} > > DomainNamingMaster : DARKVIXEN161WIN.dvc.darkvixen.com > > Domains : {dvc.darkvixen.com, lab.dvc.darkvixen.com} > > ForestMode : Windows2012R2Forest > > GlobalCatalogs : {DARKVIXEN161WIN.dvc.darkvixen.com, > > DARKVIXEN164WIN.lab.dvc.darkvixen.com} > > Name : dvc.darkvixen.com > > PartitionsContainer : > > CN=Partitions,CN=Configuration,DC=dvc,DC=darkvixen,DC=com > > RootDomain : dvc.darkvixen.com > > SchemaMaster : DARKVIXEN161WIN.dvc.darkvixen.com > > Sites : {DarkVixenCorp} > > SPNSuffixes : {} > > UPNSuffixes : {} > > > > > > Is this a bug fixed with later daemons or is there additional > > configuration required ? > > > > > > Many thanks, > > > > > > -- lawrence > > > > > > -- > Lawrence Kearney > > e: [email protected] > t: +001 706.951.6257 > w: www.lawrencekearney.com > l: www.linkedin.com/in/lawrencekearney > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
