All, I have sssd working fine for my AD regional child domains (all have a transitive trust). It can find users & (universal) groups from all AD domains.
For instance, a server in amer.company.com will auto-discover non-local child domains apac.company.com and emea.company.com. I have this: [sssd] domains = amer.company.com domain_resolution_order = amer.company.com, emea.company.com, apac.company.com, japn.company.com, company.com services = nss,pam,ifp,autofs …. [domain/amer.company.com] autofs_provider = ad ldap_autofs_search_base = ou=automount,ou=UNIX,dc=AMER,dc=COMPANY,dc=COM … [domain/amer.company.com/emea.company.com] ... In AMER, automount works great. Can find the automount maps no problem. With the ldap_autofs_search_base above. (all our automount maps are housed in amer AD domain). However, we’re looking closely at an EMEA server and we realize it doesn’t find the automount maps out of AD. In the sssd_autofs.log file, we notice it was looking for unqualified “auto.master”, so it converted that to [email protected]. Whereas on an amer server, it converted that unqualified name to [email protected]. This gave us the idea to change /etc/auto.master from this line: +auto.master To this line: [email protected] This seems to do better. From the sssd_autofs.log file: (2021-05-11 20:51:25): [autofs] [sss_autofs_cmd_setautomntent] (0x0400): Obtaining autofs map [email protected] (2021-05-11 20:51:25): [autofs] [cache_req_set_plugin] (0x2000): CR #0: Setting "Get autofs map" plugin (2021-05-11 20:51:25): [autofs] [cache_req_send] (0x0400): CR #0: New request 'Get autofs map' (2021-05-11 20:51:25): [autofs] [cache_req_process_input] (0x0400): CR #0: Parsing input name [[email protected]] (2021-05-11 20:51:25): [autofs] [sss_domain_get_state] (0x1000): Domain emea.company.com is Active (2021-05-11 20:51:25): [autofs] [sss_domain_get_state] (0x1000): Domain company.com is Active (2021-05-11 20:51:25): [autofs] [sss_domain_get_state] (0x1000): Domain japn.company.com is Active (2021-05-11 20:51:25): [autofs] [sss_domain_get_state] (0x1000): Domain amer.company.com is Active (2021-05-11 20:51:25): [autofs] [sss_parse_name_for_domains] (0x0200): name '[email protected]' matched expression for domain ' amer.company.com', user is auto.master (2021-05-11 20:51:25): [autofs] [cache_req_set_name] (0x0400): CR #0: Setting name [auto.master] (2021-05-11 20:51:25): [autofs] [cache_req_select_domains] (0x0400): CR #0: Performing a single domain search (2021-05-11 20:51:25): [autofs] [sss_domain_get_state] (0x1000): Domain emea.company.com is Active (2021-05-11 20:51:25): [autofs] [sss_domain_get_state] (0x1000): Domain amer.company.com is Active (2021-05-11 20:51:25): [autofs] [cache_req_search_domains] (0x0400): CR #0: Search will check the cache and check the data provider (2021-05-11 20:51:25): [autofs] [cache_req_global_ncache_add] (0x2000): CR #0: This request type does not support global negative cache (2021-05-11 20:51:25): [autofs] [cache_req_process_result] (0x0400): CR #0: Finished: Not found (2021-05-11 20:51:25): [autofs] [client_recv] (0x0200): Client disconnected! However, it does not find the child auto.* maps. Whereas a server in amer does. I would rather not have to copy my correct autofs AD structure to each child AD domain. It’s tested and working for over a year in amer. How can I get a non-amer server to see the automount maps? Spike White
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
