On Thu, Aug 08, 2019 at 02:31:32PM -0400, Josh Snyder wrote: > On Thu, Aug 8, 2019 at 2:05 PM Sumit Bose <[email protected]> wrote: > > > On Thu, Aug 08, 2019 at 01:25:08PM -0400, Josh Snyder wrote: > > > Hi All, > > > > > > I'm working in a proof of concept for a customer where I've been asked to > > > join the child domain of a Microsoft Active Directory domain, > > > child.example.com. Users will primarily exist in the parent, > > example.com, > > > but some users will also exist in the child. The application requires > > that > > > all users have a specific primary GID, 1100, which is defined in > > /etc/group > > > and I'm attempting to apply via override_gid. > > > > > > User authentication via either the child or parent is successful, > > however, > > > the override_gid is only applied to users of the child, @ > > child.example.com > > > and NOT for users of the parent, @example.com. > > > > > > I saw what looked to be a similar post to this list from Sep 2018. It > > was > > > suggested this may be a bug. I didn't see a follow-up/resolution to that > > > thread. Is this issue being tracked or has it been resolved? > > > > Hi, > > > > in contrast to other options the override_gid options is not > > automatically inherited to sub-domains (from the SSSD point of view). I > > think this is better than the other way round because the given GID > > might make sense in one domain but not in the other. > > > > The version of SSSD you are using allows to set options for sub-domains > > individually. Please try to add: > > > > > > [domain/child.example.com/example.com] > > override_gid = 1100 > > > > to sssd.conf. This works for many options but I have not tested > > override_gid yet. Sp please let me know if this works or not. > > > > > Thanks for the suggestion, unfortunately, I have tried to define an > override_gid that's in a specific domain declaration as your above example, > but it does not appear to have an impact. > > I tested scenarios where I had a host joined directly to the parent, but > override_gid was not applied for the child. Likewise, I tested a scenario > where my host is joined directly to the child, but override_gid is not > applied for the parent. > > The override_gid seems to only be applied for users that are specifically > authenticated against the directly joined domain and not applied for any > trusted domains. And additional [domain] declarations containing > override_gid do not appear to be applied.
Yes, unfortunately code-wise we have two way of reading configuration option, one where the option is directly read from the domain's configuration database for a domain and then another one mostly used for provider-specific options (think ad_server, ldap_uri, ...). Only the latter group of options is inherited unfortunately. _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
