On Thu, Aug 8, 2019 at 2:05 PM Sumit Bose <[email protected]> wrote: > On Thu, Aug 08, 2019 at 01:25:08PM -0400, Josh Snyder wrote: > > Hi All, > > > > I'm working in a proof of concept for a customer where I've been asked to > > join the child domain of a Microsoft Active Directory domain, > > child.example.com. Users will primarily exist in the parent, > example.com, > > but some users will also exist in the child. The application requires > that > > all users have a specific primary GID, 1100, which is defined in > /etc/group > > and I'm attempting to apply via override_gid. > > > > User authentication via either the child or parent is successful, > however, > > the override_gid is only applied to users of the child, @ > child.example.com > > and NOT for users of the parent, @example.com. > > > > I saw what looked to be a similar post to this list from Sep 2018. It > was > > suggested this may be a bug. I didn't see a follow-up/resolution to that > > thread. Is this issue being tracked or has it been resolved? > > Hi, > > in contrast to other options the override_gid options is not > automatically inherited to sub-domains (from the SSSD point of view). I > think this is better than the other way round because the given GID > might make sense in one domain but not in the other. > > The version of SSSD you are using allows to set options for sub-domains > individually. Please try to add: > > > [domain/child.example.com/example.com] > override_gid = 1100 > > to sssd.conf. This works for many options but I have not tested > override_gid yet. Sp please let me know if this works or not. > > Thanks for the suggestion, unfortunately, I have tried to define an override_gid that's in a specific domain declaration as your above example, but it does not appear to have an impact.
I tested scenarios where I had a host joined directly to the parent, but override_gid was not applied for the child. Likewise, I tested a scenario where my host is joined directly to the child, but override_gid is not applied for the parent. The override_gid seems to only be applied for users that are specifically authenticated against the directly joined domain and not applied for any trusted domains. And additional [domain] declarations containing override_gid do not appear to be applied. HTH > > bye, > Sumit > > > > > Below is my sssd.conf: > > > > [root@linux2 sssd]# cat sssd.conf > > > > [sssd] > > domains = child.example.com > > config_file_version = 2 > > services = nss, pam > > default_domain_suffix = EXAMPLE.COM > > > > [domain/child.example.com] > > ad_domain = child.example.com > > krb5_realm = CHILD.EXAMPLE.COM > > realmd_tags = manages-system joined-with-samba > > cache_credentials = True > > id_provider = ad > > krb5_store_password_if_offline = True > > default_shell = /bin/bash > > ldap_id_mapping = True > > use_fully_qualified_names = True > > fallback_homedir = /home/%u@%d > > access_provider = ad > > ad_access_filter = FOREST:example.com: > > > (memberOf:1.2.840.113556.1.4.1941:=CN=LinuxUsers,ou=Groups,dc=child,dc=example,dc=com) > > > > auth_provider = ad > > chpass_provider = ad > > ldap_schema = ad > > > > override_gid = 1100 > > > > CentOS Version: > > > > [root@linux2 sssd]# cat /etc/redhat-release > > CentOS Linux release 7.5.1804 (Core) > > > > SSSD Component Versions: > > > > [root@linux2 sssd]# rpm -qa |grep sssd > > sssd-common-pac-1.16.2-13.el7_6.8.x86_64 > > sssd-ldap-1.16.2-13.el7_6.8.x86_64 > > python-sssdconfig-1.16.2-13.el7_6.8.noarch > > sssd-client-1.16.2-13.el7_6.8.x86_64 > > sssd-krb5-common-1.16.2-13.el7_6.8.x86_64 > > sssd-ipa-1.16.2-13.el7_6.8.x86_64 > > sssd-krb5-1.16.2-13.el7_6.8.x86_64 > > sssd-dbus-1.16.2-13.el7_6.8.x86_64 > > sssd-proxy-1.16.2-13.el7_6.8.x86_64 > > sssd-tools-1.16.2-13.el7_6.8.x86_64 > > sssd-common-1.16.2-13.el7_6.8.x86_64 > > sssd-ad-1.16.2-13.el7_6.8.x86_64 > > sssd-1.16.2-13.el7_6.8.x86_64 > > > > > > Thanks, > > -Josh > > > _______________________________________________ > > sssd-users mailing list -- [email protected] > > To unsubscribe send an email to [email protected] > > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] >
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
