sssd personnel, When a Linux SE fat-fingers the domain name when doing a 'realm permit' or 'realm permit -g', it locks all permitted users and groups.
Even worse, it's not usually obvious from looking at the 'simple_allow_users' and 'simple_allow_groups' lines which entry is the culprit. Here's an example: simple_allow_groups = [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected] simple_allow_users = [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected] The offending entry is '[email protected]'. The Linux SE fat-fingered that user when doing a realm permit. Since sssd treats this as an unknown domain (to sssd), it locks all permitted users and groups. I've tried to submit this to my OS vendor as a bug, but they claim it's a 'feature'. Ok, but it would be nice to have a configuration option to ignore permitted users and groups from unknown realms -- to not lock all existing permitted users and groups. Spike
_______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
